HellCat and Morpheus: Ransomware Affiliates Using Identical Payloads to Escalate Attacks
Ddos 
Morpheus Ransom note | Source: SentinelOne
Over the past six months, ransomware activity has surged, with new operations like HellCat and Morpheus making their mark in the crimeware economy. According to a recent report by SentinelOne, these Ransomware-as-a-Service (RaaS) offerings are linked by more than their timingβthey share nearly identical payloads, highlighting growing sophistication and collaboration in the ransomware landscape.
HellCat debuted in mid-2024, driven by BreachForums-affiliated personas like Rey and Pryx. Known for targeting high-value entities and government organizations, HellCat’s operators have pursued public notoriety to establish their reputation. Meanwhile, Morpheus launched its data leaks site in December 2024, targeting industries such as pharmaceuticals and manufacturing. Unlike HellCat, Morpheus maintains a lower public profile but leverages similarly potent tools.
SentinelOneβs research underscores this overlap, stating, βWe analyzed payloads from both HellCat and Morpheus ransomware operations… affiliates across both operations are compiling payloads that contain almost identical code.β
In December 2024, two ransomware samples from both operations were uploaded to VirusTotal. Despite differences in victim-specific details, the payloads were functionally identical. Both were compact 64-bit executables (~18KB), utilizing the Windows Cryptographic API for file encryption. The payloads use BCrypt for key generation and encryption, a method seen in earlier versions of LockBit and ALPHV.
Unusually, the ransomware leaves file extensions and metadata intact while encrypting file contents. Victims receive a ransom note labeled _README_.txt, containing operation-specific contact details and instructions to access an attacker-controlled .onion portal.
While the shared codebase suggests a connection, SentinelOne found no concrete evidence linking HellCat and Morpheus operators directly. Instead, the shared payloads likely indicate a common builder application used by affiliates. βUnderstanding how common code is sourced and shared across these groups can help inform detection efforts,β SentinelOne emphasizes.
With ransom demands reportedly reaching up to 32BTC ($3 million), the stakes for businesses and organizations are high.
Related Posts:
- SentinelOne Unveils: The Hidden Dangers of npm in Business Security
- BlueNoroffβs New MacOS Threat: βHidden Riskβ Targets Crypto Enthusiasts
- Operation Digital Eye: Chinese APT Exploits Visual Studio Code Tunnels in High-Stakes Espionage Campaign
- Dark Angels vs. RagnarLocker: SentinelOne Decodes the 2023 Ransomware Attack
- CyberVolk: The Hacktivist Collective Blurring Lines Between Activism, Ransomware, and Geopolitics
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
