Cephalus: The New Ransomware Strain Using Legitimate Binaries to Attack
In mid-August, researchers encountered a new ransomware strain, Cephalus, in two separate incidents. Following the recent emergence of families such as Crux and KawaLocker, attention was quickly drawn to a ransom note that began with the words “We’re Cephalus.” In both cases, attackers gained initial access via RDP using compromised credentials without multi-factor authentication, and leveraged the cloud service MEGA for potential data exfiltration.
The most striking element of the attack chain was the ransomware’s method of execution. The adversaries employed DLL side-loading with a legitimate SentinelOne component: from the Downloads directory, the executable SentinelBrowserNativeHost.exe was launched, which in turn loaded SentinelAgentCore.dll, ultimately fetching data.bin, containing the ransomware payload. On one host, the attempt was blocked by Microsoft Defender; on another, encryption proceeded unhindered. The absence of command-line parameters during execution suggests the attack was not spread across accessible network shares.
It is particularly noteworthy that both victim organizations were genuine SentinelOne customers. Yet the placement of SentinelBrowserNativeHost.exe within the Downloads folder was highly unusual. Telemetry showed millions of legitimate daily executions of this binary across customer environments, but virtually never from Downloads. Such anomalies can serve as a strong indicator of compromise. Modern SIEM and EDR solutions are well-positioned to detect such behavior — for example, MaxPatrol SIEM and EDR’s DLL_Side_Loading rule identifies attempts to load a substituted library from the same directory as a binary.
Before initiating encryption, Cephalus systematically crippled recovery options and blinded defenses. Researchers observed the deletion of shadow volume copies and a sequence of PowerShell commands and registry modifications aimed at disabling Windows Defender, adding exclusions, and halting related services. These preparatory actions preceded both ransom note creation and the encryption process, aligning with standard tactics of modern ransomware groups. Behavioral analytics modules such as MaxPatrol BAD can flag such activities: any anomalous process execution, library injection, or deviation from baseline behavior is rated highly by AI/ML engines, enabling earlier detection of the threat.
Another notable detail was the ransom note itself. Each instance began with a blunt self-introduction (“We’re Cephalus”), included claims of having stolen “confidential data,” and provided instructions for communication. Unlike earlier variants circulated on social media, these notes were tailored to the victim’s domain and embedded links to two “news articles” about prior Cephalus attacks — likely intended to heighten pressure and bolster the group’s reputation. In some cases, victims were directed to a GoFile link with a password to verify samples of allegedly stolen files.
MEGA featured prominently, not only as an exfiltration endpoint but also within host activity: executions of MEGAcmdUpdater.exe were recorded, and in one case, even a Scheduled Task invoked it. This aligns with the double extortion model, where encryption is paired with prior data theft. NTA/NDR systems such as PT NAD are capable of detecting these attack phases, including suspicious RDP connections, lateral movement, cloud storage interactions, and outbound exfiltration.
A recognizable profile of Cephalus is beginning to take shape. Indicators included the “.sss” extension on encrypted files, ransom notes named recover.txt, the operator’s working directory at C:\Users[user]\Downloads, a host named Desktop-uabs01, and file hashes:
- SentinelBrowserNativeHost.exe SHA-256:
0d9dfc113712054d8595b50975efd9c68f4cb8960eca010076b46d2fba3d2754 - SentinelAgentCore.dll SHA-256:
82f5fb086d15a8079c79275c2d4a6152934e2dd61cc6a4976b492f74062773a7
Cephalus fits squarely within the ransomware landscape but distinguishes itself by combining traditional entry vectors with an unconventional execution method through a legitimate binary. For defenders, the lessons remain clear: disable RDP without MFA, monitor anomalous launches of SentinelBrowserNativeHost.exe (particularly from user directories), restrict or tightly control the use of MEGA and similar tools, and vigilantly track any attempts to tamper with Windows Defender’s settings or services. The greater the visibility before encryption begins, the higher the chances of disrupting the attack before ransom notes — and downtime — appear.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
