Ddos 
Cephalus ransom note posted publicly on Twitter
Recently, threat hunters at Huntress observed two separate incidents involving a new ransomware variant dubbed Cephalus. The cases highlight how adversaries are evolving beyond traditional tactics by leveraging Remote Desktop Protocol (RDP) compromises, DLL sideloading, and novel ransom note strategies to intimidate victims.
The Cephalus operators gained entry through compromised RDP accounts without MFA, a reminder of how weak or unprotected remote access remains a favored target. Once inside, attackers leveraged the MEGA cloud storage platform for data exfiltration. Huntress notes, βWe also saw attackers use the MEGA cloud storage platform, presumably for data exfiltration.β
This step mirrors the double-extortion playbook: stealing sensitive data before encryption to increase pressure on victims.
Perhaps the most intriguing part of these incidents is how Cephalus deploys its payload. Huntress explains, βThey used a unique process for launching the ransomware itself, which involved sideloading a dynamic link library (DLL) via a legitimate SentinelOne executable file (SentinelBrowserNativeHost.exe), and then loading a data.bin file via the DLL that contains the actual ransomware code.β
This technique allows attackers to blend malicious activity with trusted security software, making detection and prevention much harder. Interestingly, both impacted organizations were already running legitimate SentinelOne instances, highlighting the attackerβs deliberate abuse of trust in security tooling.
Once deployed, Cephalus initiates a suite of commands aimed at crippling recovery and disabling security protections. The ransomware executes commands such as:
- vssadmin delete shadows /all /quiet to remove shadow copies.
- Multiple PowerShell commands to add Windows Defender exclusions.
- Registry modifications to disable Windows Defenderβs real-time protection.
- Commands to stop and disable Defender-related services.
Huntress points out that, βThese commands occur prior to file encryption and ransom note creation.β This methodical approach ensures defenders are blinded before encryption begins.
Unlike many ransom notes that follow a templated format, the ones observed by Huntress contained references to news articles about Cephalus itself, apparently to legitimize the threat.
The report states, βThe ransom note from the mid-August incident observed by the Huntress SOC was a bit different β¦ it now contains links to two online articles associated with previous successful Cephalus ransomware deployments, in an apparent attempt to provide credence to the claims of data theft, and impart a sense of urgency.β
Victims were also provided with a GoFile.io repository link and password, enabling them to verify samples of stolen data β a tactic that combines intimidation with proof of breach.
Organizations are urged to enforce MFA on RDP accounts, monitor for abuse of legitimate executables, and maintain layered defenses to mitigate emerging threats like Cephalus.
Related Posts:
- Urgent Zero-Day Warning: SonicWall VPNs Under Attack, Akira Ransomware Deployed Within Hours
- ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion
- Hackers Exploit Foundation Software, Exposing Sensitive Contractor Data
- Russian IP Networks Fuel North Koreaβs Global Cybercrime and Espionage Campaigns
- Critical Wing FTP Server RCE (CVE-2025-47812) Actively Exploited In The Wild
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
