Full Report
SentinelOne researchers highlighted similarities in the approaches used by the HellCat and Morpheus ransomware groups, suggesting shared infrastructure
Analysis Summary
# Threat Actor: HellCat and Morpheus
## Attribution & Identity
- **HellCat:** Emerged mid-2024. Primary operators are thought to be high-ranking members of the BreachForums community and its various factions.
- **Morpheus:** Emerged in late 2024 (activity tracked to September 2024). Described as a "semi-private" RaaS operation.
- **Association:** Payloads from both groups contain almost identical code and share behavioral characteristics, suggesting affiliates are using shared infrastructure or a common codebase/builder application.
- **Related Group:** Ransom notes share characteristics with those used by the Underground Team group, though their payloads are structurally different.
## Activity Summary
- **HellCat:** Targeted "big game" entities and government organizations. Reportedly behind a ransomware attack on telco giant **Telfonica in January 2025**, resulting in the theft of over 236,000 lines of customer data.
- **Morpheus:** Launched a data leak site in December 2024. Observed uploading similar ransomware payloads to VirusTotal on December 22 and 30, 2024, likely by the same affiliate active in both Morpheus and HellCat campaigns.
## Tactics, Techniques & Procedures
- **Shared Codebase/Payload:** Both employ almost identical ransomware payloads.
- **Atypical Encryption:** Do not alter the extension of targeted and encrypted files, likely to evade detection.
- **Minimal System Modification:** Actions are limited primarily to file encryption and the dropping of a ransom note, avoiding further system modifications to evade detection.
- **Ransom Note Placement/Launch:** Ransom notes are written to disk as `_README_.txt`. The note for both is launched via notepad from the `C:\Users\Public\_README_.txt` location after all files are processed.
- **Note Template:** Ransom notes follow the same template and flow, listing the same quantity of sources.
- **Observed TTPs (General Trend):** Part of a growing trend illustrating collaboration and shared TTPs among ransomware affiliates moving between different RaaS operators.
## Targeting
- **Sectors:** Telecommunications (Telco), Government entities.
- **Geography:** Specific geography not detailed for both, but Telfonica is a major international entity.
- **Victims:**
* **HellCat:** Telfonica (Telco giant, January 2025).
## Tools & Infrastructure
- **Malware families used:** HellCat Ransomware, Morpheus Ransomware (shared codebase).
- **Infrastructure (C2, domains, IPs - defang URLs):** Shared infrastructure deployment is implied due to shared code/builder. No specific malicious IPs or domains were detailed in the text excerpts.
## Implications
The emergence and immediate overlap between HellCat and Morpheus indicate a fragmentation in the ransomware ecosystem, where affiliates are leveraging shared resources or toolsets instead of developing unique malware for each RaaS platform. This suggests operational efficiencies and makes tracking the specific group behind an attack more challenging when core payloads are identical. This trend demonstrates growing collaboration or shared development within the ransomware undernet.
## Mitigations
- Focus on detecting behavior that deviates from normal operations (e.g., mass file encryption).
- Implement defenses capable of identifying encryption patterns that do not follow standard naming conventions (e.g., lack of modified file extensions).
- Monitor for the specific ransom note deployment mechanism (`C:\Users\Public\_README_.txt` launched via notepad).
- Enhanced monitoring for potential lateral movement or lateral code sharing between known ransomware affiliate operations.