Cephalus has surfaced as a Go-built ransomware strain linked to victim activity as early as June 2025, with wider public reporting appearing in August.
It focuses on Windows networks and follows a double-extortion playbook, stealing sensitive data before it locks files.
Victims can face operational downtime and pressure when attackers leak small “proof” sets to push payment.
Reports tie many intrusions to exposed Remote Desktop Protocol (RDP) services that lack multi-factor authentication, often paired with stolen credentials.
Once inside, the malware moves quickly from access to impact, aiming to disable defenses and break recovery options. It uses a hybrid scheme, encrypting files with AES-256 in CTR mode and protecting per-victim keys with RSA-1024.
After these early case reports, AttackIQ researchers noted the pattern of behaviors and mapped them into an emulation sequence that mirrors how Cephalus is deployed on a compromised host.
The emulation draws on behavior described by Huntress in August 2025 and Ahnlab in December 2025, along with internal analysis.
.webp)
Tis shows the initial run, including process injection through VirtualAlloc and VirtualProtect and persistence through scheduled tasks created with schtasks.
Before encryption, Cephalus performs quick checks that help it understand the victim environment, collecting system and user details and listing running processes.
It uses Windows APIs such as GetSystemInfo, RtlGetVersion, GetComputerNameExW, GetUserNameW, GetEnvironmentStrings, and CreateToolhelp32Snapshot with Process32FirstW and Process32NextW.
It can also gather adapter and drive details and then walk the file system with FindFirstFileW and FindNextFileW to pick targets.
Windows Defender tampering
A key evasion step is to weaken Microsoft Defender, where the attacker disables or reduces real-time protections and adds exclusions for paths, processes, or extensions.
The observed actions include PowerShell changes like Add-MpPreference and Set-MpPreference, plus registry edits under Windows Defender policy keys that can turn off monitoring or scanning.
Captures this phase, where exclusions and settings changes reduce the chance of the payload being blocked.
Defenders should treat open RDP as a high-risk doorway: require MFA, restrict exposure with VPN or allowlists, watch for brute force and unusual logons, and reset passwords when theft is suspected.
On endpoints, alert on new scheduled tasks, vssadmin shadow copy deletion, sudden Defender preference or registry policy changes, and suspicious service stops for backups or databases, while keeping offline backups and practicing recovery drills.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
