New Ransomware Group Cephalus Emerges with Sophisticated Go-Based Malware

Researchers have identified a new ransomware group named Cephalus, which surfaced in mid-June 2025. The group uses custom-built Go-based ransomware and sophisticated anti-analysis mechanisms. Cephalus targets organizations by brute-forcing or purchasing compromised RDP credentials, particularly those without MFA. Once inside, they exfiltrate sensitive data before encryption, applying additional pressure through public leaks. The group operates independently, with no clear ties to existing ransomware operations. Their ransomware includes mechanisms to thwart dynamic analysis and forensic recovery, such as creating fake AES keys and using a custom SecureMemory structure to manage encryption keys.

Latest mentioned: 11-07

Earliest mentioned: 11-04

Sources

ahnlab.com ahnlab.com securityonline.info cybersum.net

Also Read

Cyber-Espionage Group Uses Hyper-V for Stealthy Attacks

A cyber-espionage group known as Curly COMrades has been leveraging Microsoft Hyper-V virtualization to establish stealthy, persistent access within compromised networks. The group uses a lightweight Alpine Linux virtual machine to host custom malware, CurlyShell and CurlCat, which operate within a virtualized enclave invisible to host-based endpoint detection and response (EDR) tools. The attackers also rely on PowerShell scripts for persistence and lateral movement, including a custom Kerberos Ticket Injector script. The investigation was conducted in collaboration with a national CERT, which provided critical evidence from a compromised web server used as a proxy for the attacker's C2 infrastructure.

11-06Read more →