HellCat and Morpheus Ransomware Share Identical Payloads for Attacks

The cybersecurity landscape witnessed a surge in ransomware activity during the latter half of 2024 and into early 2025, with the emergence of operations like HellCat and Morpheus.

Alongside their rise, notable groups such as FunkSec, Nitrogen, and Termite gained traction, while established actors Cl0p and LockBit introduced new versions of their ransomware, further amplifying the threat.

Among these, HellCat and Morpheus, both operating under the Ransomware-as-a-Service (RaaS) model, have caught significant attention for their increasing sophistication, targeted attacks, and operational similarities.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

HellCat’s Aggressive Expansion

Launched in mid-2024, HellCat has positioned itself as a high-profile actor within the RaaS domain.

Its leadership is reportedly comprised of prominent members from the BreachForums community, including individuals under pseudonyms such as Rey, Pryx, Grep, and IntelBroker.

The group has targeted high-value entities, focusing particularly on government organizations and “big game” victims.

HellCat’s operators have leveraged media visibility and novel ransom demands to solidify their reputation in the cybercrime ecosystem.

Morpheus, which unveiled its data leaks site in December 2024, has demonstrated more restrained branding efforts compared to HellCat.

Tracing its origins back to September 2024, the operation functions as a semi-private RaaS, targeting industries like pharmaceuticals and manufacturing.

Recent attacks indicate a focus on virtual ESXi environments, with ransom demands reaching up to 32 BTC (approximately $3 million USD).

Despite its lower profile, Morpheus affiliates remain highly active, particularly in targeting organizations within Italy.

Evidence of Code Sharing

A significant finding emerged in late December 2024, when researchers discovered two ransomware samples uploaded to VirusTotal on December 22 and December 30 that shared nearly identical code.

The payloads, tied to both HellCat and Morpheus campaigns, were traced back to the same affiliate based on telemetry data.

These payloads, 64-bit PE files around 18KB in size, use a hard-coded list of file extensions to exclude and bypass encryption for critical system folders like Windows/System32.

While the ransomware encrypts the file contents, it notably does not alter file extensions or metadata, a deviation from many established ransomware families.

Further examination revealed a shared use of the Windows Cryptographic API, specifically employing BCrypt for key generation and encryption.

The ransomware leaves behind a ransom note (README.txt) with details on how victims can access the attackers’ .onion portals using provided credentials.

Despite operational similarities, including the ransom note template, there is no conclusive evidence to suggest a deeper connection or shared codebase with the previously active Underground Team RaaS.

According to Sentinel One, the striking resemblance in HellCat and Morpheus payloads highlights the potential use of a shared builder application or codebase among affiliates.

This development underscores the growing industrialization of ransomware, where tools and techniques are increasingly being shared among malicious actors.

While the precise relationship between HellCat and Morpheus operators remains unclear, their activities underscore the escalating sophistication of RaaS operations and their ability to compromise diverse sectors.

HellCat and Morpheus represent a broader trend in the evolution of ransomware, where operational overlaps and shared resources blur the lines between distinct groups.

As both groups continue to target enterprises and governmental entities, understanding their shared methodologies can play a pivotal role in improving detection and response strategies for security professionals.

The cybersecurity community must remain vigilant in tracking these emerging threats to mitigate their impact effectively.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar