Wednesday, April 16, 2025
HomeCyber AttackHellCat and Morpheus Ransomware Share Identical Payloads for Attacks

HellCat and Morpheus Ransomware Share Identical Payloads for Attacks

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity landscape witnessed a surge in ransomware activity during the latter half of 2024 and into early 2025, with the emergence of operations like HellCat and Morpheus.

Alongside their rise, notable groups such as FunkSec, Nitrogen, and Termite gained traction, while established actors Cl0p and LockBit introduced new versions of their ransomware, further amplifying the threat.

Among these, HellCat and Morpheus, both operating under the Ransomware-as-a-Service (RaaS) model, have caught significant attention for their increasing sophistication, targeted attacks, and operational similarities.

- Advertisement - Google News

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

HellCat’s Aggressive Expansion

Launched in mid-2024, HellCat has positioned itself as a high-profile actor within the RaaS domain.

Its leadership is reportedly comprised of prominent members from the BreachForums community, including individuals under pseudonyms such as Rey, Pryx, Grep, and IntelBroker.

The group has targeted high-value entities, focusing particularly on government organizations and “big game” victims.

HellCat’s operators have leveraged media visibility and novel ransom demands to solidify their reputation in the cybercrime ecosystem.

Morpheus, which unveiled its data leaks site in December 2024, has demonstrated more restrained branding efforts compared to HellCat.

Tracing its origins back to September 2024, the operation functions as a semi-private RaaS, targeting industries like pharmaceuticals and manufacturing.

Recent attacks indicate a focus on virtual ESXi environments, with ransom demands reaching up to 32 BTC (approximately $3 million USD).

Despite its lower profile, Morpheus affiliates remain highly active, particularly in targeting organizations within Italy.

Evidence of Code Sharing

A significant finding emerged in late December 2024, when researchers discovered two ransomware samples uploaded to VirusTotal on December 22 and December 30 that shared nearly identical code.

er.bat launches Morpheus ransomware
er.bat launches Morpheus ransomware

The payloads, tied to both HellCat and Morpheus campaigns, were traced back to the same affiliate based on telemetry data.

These payloads, 64-bit PE files around 18KB in size, use a hard-coded list of file extensions to exclude and bypass encryption for critical system folders like Windows/System32.

While the ransomware encrypts the file contents, it notably does not alter file extensions or metadata, a deviation from many established ransomware families.

Further examination revealed a shared use of the Windows Cryptographic API, specifically employing BCrypt for key generation and encryption.

The ransomware leaves behind a ransom note (README.txt) with details on how victims can access the attackers’ .onion portals using provided credentials.

Morpheus Ransom note displayed post-encryption
Morpheus Ransom note displayed post-encryption

Despite operational similarities, including the ransom note template, there is no conclusive evidence to suggest a deeper connection or shared codebase with the previously active Underground Team RaaS.

According to Sentinel One, the striking resemblance in HellCat and Morpheus payloads highlights the potential use of a shared builder application or codebase among affiliates.

This development underscores the growing industrialization of ransomware, where tools and techniques are increasingly being shared among malicious actors.

While the precise relationship between HellCat and Morpheus operators remains unclear, their activities underscore the escalating sophistication of RaaS operations and their ability to compromise diverse sectors.

HellCat and Morpheus represent a broader trend in the evolution of ransomware, where operational overlaps and shared resources blur the lines between distinct groups.

As both groups continue to target enterprises and governmental entities, understanding their shared methodologies can play a pivotal role in improving detection and response strategies for security professionals.

The cybersecurity community must remain vigilant in tracking these emerging threats to mitigate their impact effectively.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Firefox Fixes High-Severity Vulnerability Causing Memory Corruption via Race Condition

Mozilla has released Firefox 137.0.2, addressing a high-severity security flaw that could potentially allow...

Tails 6.14.2 Released with Critical Fixes for Linux Kernel Vulnerabilities

The Tails Project has urgently released Tails 6.14.2, addressing critical security vulnerabilities in the Linux...

APT29 Hackers Use GRAPELOADER in New Attack Against European Diplomats

Check Point Research (CPR) has uncovered a new targeted phishing campaign employing GRAPELOADER, a...

Chinese Hackers Unleash New BRICKSTORM Malware to Target Windows and Linux Systems

A sophisticated cyber espionage campaign leveraging the newly identified BRICKSTORM malware variants has targeted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

APT29 Hackers Use GRAPELOADER in New Attack Against European Diplomats

Check Point Research (CPR) has uncovered a new targeted phishing campaign employing GRAPELOADER, a...

Chinese Hackers Unleash New BRICKSTORM Malware to Target Windows and Linux Systems

A sophisticated cyber espionage campaign leveraging the newly identified BRICKSTORM malware variants has targeted...

Hacktivist Group Becomes More Sophisticated, Targets Critical Infrastructure to Deploy Ransomware

A recent report by Cyble has shed light on the evolving tactics of hacktivist...