A newly identified ransomware strain named Cephalus has emerged as a sophisticated threat, targeting organizations through compromised Remote Desktop Protocol (RDP) connections.
The malware, which takes its name from Greek mythology referencing the son of Hermes who tragically killed his wife with an infallible javelin, represents a concerning evolution in ransomware deployment techniques.
Cephalus distinguishes itself from other ransomware families through its unique infection methodology and sophisticated evasion tactics.
The malware operators gain initial access to target networks by exploiting RDP credentials that lack multi-factor authentication (MFA), a vulnerability that continues to plague organizations worldwide.
Once inside the network, attackers utilize the MEGA cloud storage platform for data exfiltration before deploying the ransomware payload.
.webp "New Cephalus Ransomware Leverages Remote Desktop Protocol to Gain Initial Access 3")
The ransomware deployment mechanism involves a particularly clever approach using DLL sideloading through legitimate security software components.
Huntress analysts identified this technique during investigations of two separate incidents occurring on August 13 and August 16, 2025, where the malware successfully infiltrated organizations running legitimate SentinelOne security products.
DLL Sideloading and Execution Chain
The most technically intriguing aspect of Cephalus lies in its deployment strategy, which exploits a legitimate SentinelOne executable file called SentinelBrowserNativeHost.exe.
The ransomware operators place this legitimate binary in the user’s Downloads folder, from where it loads a malicious DLL named SentinelAgentCore.dll.
This DLL subsequently loads a file called data.bin containing the actual ransomware code, creating a multi-stage execution chain that helps evade detection.
Upon successful execution, Cephalus immediately begins system recovery prevention by running embedded commands.
The first command executed is vssadmin delete shadows /all /quiet, which eliminates volume shadow copies that could be used for file recovery.
The malware then systematically disables Windows Defender through a series of PowerShell commands that create exclusions for critical system processes and file extensions including .cache, .tmp, .dat, and .sss files.
The ransomware further modifies Windows Registry entries to disable real-time protection, behavior monitoring, and on-access protection features.
It stops and disables Windows Defender services including SecurityHealthService, Sense, WinDefend, and WdNisSvc through PowerShell commands executed with hidden window styles and bypassed execution policies.
.webp "New Cephalus Ransomware Leverages Remote Desktop Protocol to Gain Initial Access 4")
Cephalus ransom notes contain a unique characteristic – they reference news articles about previous successful attacks, attempting to establish credibility and create urgency for victims.
The malware encrypts files with the .sss extension and creates recover.txt files containing payment instructions.
Organizations can protect themselves by implementing MFA for RDP access, monitoring for unauthorized use of legitimate security tool executables in unusual locations, and maintaining comprehensive endpoint detection capabilities.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
