A new ransomware variant, dubbed Cephalus, has surfaced, posing a significant threat to organizations by exploiting vulnerabilities in Remote Desktop Protocol (RDP) connections. Named after a figure in Greek mythology, Cephalus represents a concerning advancement in ransomware tactics, combining unique infection methods with sophisticated evasion strategies.
Initial Access via RDP Exploitation
Cephalus operators gain entry into target networks by exploiting RDP credentials that lack multi-factor authentication (MFA). This method underscores the persistent risk associated with unsecured RDP configurations, which have been a favored attack vector for cybercriminals. Once access is secured, the attackers utilize the MEGA cloud storage platform to exfiltrate data before deploying the ransomware payload.
Sophisticated Deployment Mechanism
The deployment of Cephalus involves a clever technique known as DLL sideloading, which leverages legitimate security software components to evade detection. Analysts from Huntress identified this method during investigations of incidents on August 13 and August 16, 2025, where the malware infiltrated organizations using legitimate SentinelOne security products.
DLL Sideloading and Execution Chain
Cephalus’s deployment strategy exploits a legitimate SentinelOne executable file named `SentinelBrowserNativeHost.exe`. The attackers place this binary in the user’s Downloads folder, from which it loads a malicious DLL called `SentinelAgentCore.dll`. This DLL then loads a file named `data.bin` containing the actual ransomware code, creating a multi-stage execution chain that helps the malware evade detection.
System Recovery Prevention and Defense Evasion
Upon execution, Cephalus initiates commands to prevent system recovery. It deletes volume shadow copies using the command `vssadmin delete shadows /all /quiet`, eliminating potential recovery options. The malware also disables Windows Defender through a series of PowerShell commands, creating exclusions for critical system processes and specific file extensions such as .cache, .tmp, .dat, and .sss. Additionally, it modifies Windows Registry entries to disable real-time protection, behavior monitoring, and on-access protection features. Services including SecurityHealthService, Sense, WinDefend, and WdNisSvc are stopped and disabled using PowerShell commands executed with hidden window styles and bypassed execution policies.
Ransom Note Characteristics
Cephalus ransom notes are distinctive in that they reference news articles about previous successful attacks, aiming to establish credibility and create urgency for victims. The malware encrypts files with the .sss extension and generates recover.txt files containing payment instructions.
Mitigation Strategies
Organizations can protect themselves by implementing MFA for RDP access, monitoring for unauthorized use of legitimate security tool executables in unusual locations, and maintaining comprehensive endpoint detection capabilities.
