Researchers Warn of Cephalus Ransomware Using RDP for Intrusions

A newly discovered ransomware strain called Cephalus has emerged as a significant threat. It targets organizations through compromised Remote Desktop Protocol (RDP) connections.

The name Cephalus comes from Greek mythology. He was the son of Herme,s who accidentally killed his wife with an unfailing javelin. This reference reflects the precision and destructive nature of the malware.

Unlike traditional ransomware families, Cephalus employs distinctive infection and advanced evasion techniques. Attackers gain entry by exploiting weak RDP credentials not protected by multi-factor authentication, a persistent weakness in many organizations worldwide.

Once inside the network, the attackers exfiltrate data using the MEGA cloud storage platform before launching the ransomware payload. Analysts observed this during incidents on August 13 and August 16, 2025, where organizations running SentinelOne security tools were compromised.

DLL Sideloading and Execution Chain

The most notable aspect of Cephalus is its deployment method. The attackers abuse a legitimate SentinelOne file named SentinelBrowserNativeHost.exe, which they place in the victim’s Downloads folder. This executable then loads a malicious DLL named SentinelAgentCore.dll, which in turn executes a file called data.bin containing the ransomware code. This multi-stage execution strategy makes detection far more difficult.

Once active, the ransomware immediately works to block recovery options. It runs commands to delete all volume shadow copies using vssadmin, ensuring victims cannot restore encrypted files. It also disables Windows Defender protections by executing PowerShell commands that create exclusions for key system processes and file types such as cache, tmp, dat, and sss.

Registry modifications follow, which turn off real-time monitoring, behavior analysis, and access protection. Services tied to Windows Defender, including SecurityHealthService, Sense, WinDefend, and WdNisSvc, are also stopped and disabled through hidden PowerShell executions.

Ransom Note and Impact

The ransom notes dropped by Cephalus are unusual in that they reference honest news articles about earlier attacks. This is designed to convince victims of the threat’s credibility and to pressure them into compliance. Encrypted files are given the extension sss, while instructions for payment are stored in recover.txt files.

Protection Measures

To defend against Cephalus, organizations should enforce multi-factor authentication on all RDP access, monitor for misuse of legitimate security tool executables in unexpected locations, and deploy strong endpoint detection and response solutions.