A newly recognized ransomware pressure named Cephalus has emerged as a classy risk, focusing on organizations by compromised Distant Desktop Protocol (RDP) connections.
The malware, which takes its title from Greek mythology referencing the son of Hermes who tragically killed his spouse with an infallible javelin, represents a regarding evolution in ransomware deployment strategies.
Cephalus distinguishes itself from different ransomware households by its distinctive an infection methodology and complex evasion techniques.
The malware operators acquire preliminary entry to focus on networks by exploiting RDP credentials that lack multi-factor authentication (MFA), a vulnerability that continues to plague organizations worldwide.
As soon as contained in the community, attackers make the most of the MEGA cloud storage platform for knowledge exfiltration earlier than deploying the ransomware payload.
Course of lineage displaying use of MEGA (Supply – Huntress)
The ransomware deployment mechanism includes a very intelligent strategy utilizing DLL sideloading by respectable safety software program elements.
Huntress analysts recognized this system throughout investigations of two separate incidents occurring on August 13 and August 16, 2025, the place the malware efficiently infiltrated organizations operating respectable SentinelOne safety merchandise.
DLL Sideloading and Execution Chain
Essentially the most technically intriguing side of Cephalus lies in its deployment technique, which exploits a respectable SentinelOne executable file referred to as SentinelBrowserNativeHost.exe.
The ransomware operators place this respectable binary within the consumer’s Downloads folder, from the place it masses a malicious DLL named SentinelAgentCore.dll.
This DLL subsequently masses a file referred to as knowledge.bin containing the precise ransomware code, making a multi-stage execution chain that helps evade detection.
Upon profitable execution, Cephalus instantly begins system restoration prevention by operating embedded instructions.
The primary command executed is vssadmin delete shadows /all /quiet, which eliminates quantity shadow copies that could possibly be used for file restoration.
The malware then systematically disables Home windows Defender by a collection of PowerShell instructions that create exclusions for crucial system processes and file extensions together with .cache, .tmp, .dat, and .sss recordsdata.
The ransomware additional modifies Home windows Registry entries to disable real-time safety, conduct monitoring, and on-access safety options.
It stops and disables Home windows Defender providers together with SecurityHealthService, Sense, WinDefend, and WdNisSvc by PowerShell instructions executed with hidden window types and bypassed execution insurance policies.
Cephalus ransom be aware posted publicly on Twitter (Supply – Huntress)
Cephalus ransom notes comprise a novel attribute – they reference information articles about earlier profitable assaults, trying to determine credibility and create urgency for victims.
The malware encrypts recordsdata with the .sss extension and creates get well.txt recordsdata containing fee directions.
Organizations can defend themselves by implementing MFA for RDP entry, monitoring for unauthorized use of respectable safety device executables in uncommon places, and sustaining complete endpoint detection capabilities.
Enhance your SOC and assist your staff defend your small business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
