Ddos 
Image: ASEC
Researchers from AhnLab Security Emergency Response Center (ASEC) have identified a new ransomware group named “Cephalus”, which surfaced in mid-June 2025 and has already distinguished itself with custom-built Go-based ransomware and sophisticated anti-analysis mechanisms.
According to AhnLab’s report, “Cephalus is a new ransomware group that first appeared in mid-June 2025. The group claims that they are motivated 100% by financial gain.”
The group’s operations rely heavily on brute-forcing or purchasing compromised Remote Desktop Protocol (RDP) credentials, particularly those without multi-factor authentication (MFA). Once inside a network, the attackers exfiltrate sensitive data before encryption, applying additional pressure on victims through public leaks.
The name “Cephalus” is inspired by a figure in Greek mythology who wielded a spear that never missed its mark, symbolizing the group’s confidence in its attack precision.
AhnLab notes that Cephalus’s operations are still under investigation, with no clear evidence of ties to existing ransomware-as-a-service (RaaS) operations or known affiliates. The group, however, maintains a dedicated leak site on the dark web, where it publicly posts stolen data to extort victims.
The ransomware payload, written in Go (Golang), includes several mechanisms designed to thwart dynamic analysis and forensic recovery.
One of its standout features is the creation of fake AES keys to confuse security analysts.
“Cephalus has a feature that aims to disrupt analysis and conceal the AES key that will be used for encryption. When the ransomware is executed, it generates a 1,024-byte random buffer… and overwrites this buffer with a 32-byte string that reads ‘FAKE_AES_KEY_FOR_CONFUSION_ONLY!’ — a process that is repeated 100 times.”
By scattering this fake key throughout memory, the malware ensures that sandbox or forensic tools repeatedly detect decoy values, making it difficult to identify the real encryption key.
Cephalus uses the AES-CTR encryption algorithm, with a single symmetric key applied to all files in a compromised system. This approach maximizes encryption speed but means that if defenders could recover the key once, they could decrypt all affected files.
To protect this master key, Cephalus encrypts it using an embedded RSA public key, ensuring that only the attackers — holding the private key — can decrypt it.
The ransomware goes a step further in protecting its encryption key from detection or forensic retrieval. It introduces a custom SecureMemory structure that manages how the key is stored and accessed in system memory.
To prevent Windows from paging sensitive memory to disk — where analysts might later recover it — Cephalus uses the VirtualLock API.
Furthermore, when saving the key in memory, Cephalus never stores it in plaintext. Instead, it performs an XOR operation between the key and a random mask, ensuring that only an obfuscated version exists in memory until needed for encryption.
This level of operational security suggests a technically capable threat actor focused on delaying detection and complicating post-incident recovery.
Before encryption begins, Cephalus disables critical recovery and backup mechanisms to ensure maximum impact.
It disables Windows Defender’s real-time protection, deletes Volume Shadow Copies, and terminates processes for Veeam and Microsoft SQL Server (MSSQL) to prevent data restoration.
These steps are typical of ransomware families designed for enterprise environments, but the combination of Go-based architecture and memory obfuscation marks a more modern and stealth-oriented design.
After encrypting files, Cephalus drops a ransom note named recover.txt in every affected directory. Interestingly, the malware leaves the victim’s desktop background unchanged, diverging from the more aggressive visual tactics used by groups like LockBit or BlackCat.
The note includes links to GoFile repositories or dark web portals as proof of data exfiltration, a strategy designed to reinforce the credibility of their threats.
AhnLab’s analysis indicates that Cephalus currently operates independently, with no confirmed ties to existing ransomware cartels.
Donate