Cephalus is a newly observed ransomware strain/group first reported in mid-2025 and seen in incidents in August 2025. It is described as financially motivated and has been associated with targeted intrusions in which operators breach victims, exfiltrate data, and then encrypt systems. Reported initial access commonly involved compromised RDP accounts without MFA. In observed incidents, attackers also used the MEGA cloud platform, likely for data exfiltration, and the ransom note provided a GoFile link and password as proof of stolen data. Cephalus has also been cited among emerging ransomware groups contributing to increased attacks in sectors including healthcare.
Technically, Cephalus is written in Go. In Huntress-observed incidents, it was launched via DLL sideloading using the legitimate SentinelOne executable SentinelBrowserNativeHost.exe, executed from a user Downloads directory, which loaded SentinelAgentCore.dll and then a data.bin payload containing the ransomware. One deployment was reportedly blocked when Microsoft Defender quarantined the file. The malware disables or weakens Microsoft Defender protections, including adding exclusions, modifying Defender-related registry keys, stopping and disabling services such as SecurityHealthService, Sense, WinDefend, and WdNisSvc, deleting Volume Shadow Copies with vssadmin delete shadows /all /quiet, and stopping services including Veeam and MSSQL to hinder recovery.
Cephalus includes anti-analysis and key-protection features. AhnLab reported that it generates a fake AES key string ("FAKE_AES_KEY_FOR_CONFUSION_ONLY!") repeatedly to mislead dynamic analysis. It encrypts files with a single AES-CTR key derived by repeated SHA-256 hashing of a random 32-byte value, and then encrypts that AES key with an embedded RSA public key. The malware uses memory-protection techniques including VirtualLock and XOR masking to reduce key exposure in memory or paging files. The ransom note is named recover.txt and is created in directories where encryption completes. Reported indicators associated with Cephalus include MD5 hashes 6221b0bf4d365454d40c546cf7133570 and a16a1228d5276eec526c21432a403923.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Emerging ransomware brand referenced as part of the long-tail of operators impacting industrial organizations.
Cephalus is a ransomware strain that gains initial access via RDP accounts and operates a dark web leak site for extortion.
Go-based ransomware that gains access via stolen RDP credentials (often where MFA is not enabled), exfiltrates victim data, then encrypts files using a single AES-CTR key. It includes anti-analysis behavior (fake AES key activity), attempts to hinder recovery by disabling Defender real-time protection, deleting VSS backups, and stopping services (e.g., Veeam, MSSQL). The AES key is protected in memory (VirtualLock to prevent paging; XOR-masking in memory) and is encrypted with an embedded RSA public key for key protection.
Cephalus is a newly emerged ransomware group that has contributed to a surge in healthcare sector attacks in Q3 2025.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.