{
	"id": "7e620643-6b49-4050-a92b-c6016e2f341a",
	"created_at": "2026-04-06T01:30:41.452085Z",
	"updated_at": "2026-04-10T03:31:42.269998Z",
	"deleted_at": null,
	"sha1_hash": "f8b56cdf8ac2641660351f4a0c587ecaa361564c",
	"title": "HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7591417,
	"plain_text": "HellCat and Morpheus | Two Brands, One Payload as Ransomware\r\nAffiliates Drop Identical Code\r\nBy Jim Walter\r\nPublished: 2025-01-23 · Archived: 2026-04-06 00:39:12 UTC\r\nThe previous six months have seen heightened activity around new and emerging ransomware operations. Across\r\nthe tail-end of 2024 and into 2025, we have seen the rise of groups such as FunkSec, Nitrogen and Termite. In\r\naddition, we have seen the return of Cl0p and a new version of LockBit (aka LockBit 4.0).\r\nWithin this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have\r\ngained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their\r\nefforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy.\r\nAs a result of this recent activity, we analyzed payloads from both HellCat and Morpheus ransomware operations.\r\nIn this post, we discuss how affiliates across both operations are compiling payloads that contain almost identical\r\ncode. We take a high-level look at two samples in particular and examine their characteristics and behavior.\r\nHellCat Overview\r\nHellCat Ransomware emerged in mid-2024. The primary operators behind HellCat are high-ranking members of\r\nthe BreachForums community and its various factions. These personas, including Rey, Pryx, Grep and\r\nIntelBroker, have been affiliated with the breaches of numerous high-value targets.\r\nhttps://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nPage 1 of 9\n\nHellCat has leaned heavily into the public side of their persona with novel ransom demands and direct media\r\ncoverage to drive their position within the ransomware landscape. By their own admissions, HellCat operators are\r\nfocused on high-value “big game” targets and government entities.\r\nMorpheus Overview\r\nMorpheus RaaS launched a data leaks site (DLS) in December 2024, though the group’s activity can be tracked\r\nback to at least September. Morpheus functions as a semi-private RaaS, and its public branding efforts are far less\r\nvisible than Hellcat.\r\nAt the time of writing, Morpheus has listed two victims in the pharmaceutical and manufacturing industries. The\r\naffiliate discussed below currently targets Italian organizations with a focus on virtual ESXi environments.\r\nRansom demands from Morpheus affiliates are known to reach as high as 32BTC (~$3 million USD as of this\r\nwriting).\r\nAn Affiliate in Common\r\nIn late December 2024, our research team observed two similar ransomware payloads uploaded to VirusTotal on\r\nDecember 22 and December 30.\r\nSHA1 Filename Uploaded\r\nf86324f889d078c00c2d071d6035072a0abb1f73 100M.exe December 22, 2024\r\nb834d9dbe2aed69e0b1545890f0be6f89b2a53c7 100M_redacted.exe December 30, 2024\r\nhttps://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nPage 2 of 9\n\nBoth files were uploaded to VirusTotal via the web interface from a user that was not signed in and bear the same\r\nsubmitter ID. Based on this and other telemetry data, we believe it is likely that the samples were uploaded by the\r\nsame affiliate dabbling in both Morpheus and HellCat campaigns.\r\nHellCat VirusTotal Submission\r\nMorpheus VirusTotal Submission\r\nThese two payload samples are identical except for victim specific data and the attacker contact details.\r\nZoomed out comparison of payload binaries (differences highlighted)\r\nhttps://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nPage 3 of 9\n\nZoomed in comparison of payload binaries (differences highlighted)\r\nPayload Behavior\r\nThe Morpheus/HellCat payload is a standard, 64bit PE file. Both samples are ~18KB in size. Execution of the\r\npayload requires a path be provided as an argument. The ww argument is also accepted, and this was the\r\nparameter used by the affiliate associated with these samples.\r\nencryptor.exe ww\r\nencryptor.exe {path}\r\nA further file named er.bat was uploaded to VirusTotal with the same submitter ID on December 31, 2024 and\r\ngives us a glimpse into how the Morpheus sample was executed on target systems. er.bat (SHA1:\r\nf62d2038d00cb44c7cbd979355a9d060c10c9051 ) contains multiple copy commands, followed by execution of\r\nthe ransomware.\r\ner.bat launches Morpheus ransomware\r\nOther files referenced in er.bat are associated with nginx (web server) and various Trend Micro products. The\r\nscript copies these items from a network share to the local C:\\users\\public\\ folder, followed by execution of\r\nthe Morpheus ransomware with the ww parameter.\r\nBoth the HellCat and Morpheus samples are built with a hard-coded list of extensions to exclude from the\r\nencryption process:\r\n.dll\r\n.sys\r\n.exe\r\n.drv\r\n.com\r\n.cat\r\nAdditionally, the ransomware excludes the \\Windows\\System32 folder from encryption.\r\nUpon launch, the payload processes files in the targeted path. An unusual characteristic of these Morpheus and\r\nHellCat payloads is that they do not alter the extension of targeted and encrypted files. The file contents will be\r\nencrypted, but file extensions and other metadata remain intact after processing by the ransomware.\r\nhttps://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nPage 4 of 9\n\nHellCat-encrypted files, no extension change\r\nThe Morpheus and HellCat samples use the Windows Cryptographic API for key generation and file encryption.\r\nBCrypt is used to generate an encryption key, followed by encryption of the contents of the file. Similar\r\napproaches to encryption (using the Windows Cryptographic API) have been taken in the past by early versions of\r\nLockBit and ALPHV and many others.\r\nHellCat key generation via BCrypt\r\nThe BCryptEncrypt is, in turn, used to encrypt the context of each file processed.\r\nhttps://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nPage 5 of 9\n\nBCrypt / Windows Crypto use in HellCat/Morpheus\r\nThere are no further system modifications made beyond the file encryption and ransom note drop (no wallpaper\r\nchange, schedule tasks, or persistence mechanisms)\r\nFor both Morpheus and HellCat, the ransom note is written to disk as _README_.txt . Once all available files, on\r\nall available volumes, have been processed, the ransomware note will be launched via notepad from the\r\nC:\\Users\\Public\\_README_.txt instance of the file.\r\nDisplay of HellCat/Morpheus ransom note\r\nhttps://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nPage 6 of 9\n\nMorpheus Ransom note displayed post-encryption\r\nHellCat (left) and Morpheus (right) ransom notes\r\nRansom notes for the payloads are nearly identical and follow the same template and flow. The only differences\r\nare from the “Sources of Information” section onward.\r\nVictim-specific infrastructure varies, but the layout within the note is the same, with the same quantity of sources\r\nlisted across each note. The “Contacts” section contains the operation-specific contact details (HellCat or\r\nMorpheus), including the contact email address, .onion URL and victim login details. In each note, victims are\r\ninstructed to login to the attacker’s .onion portal with a provided set of credentials.\r\nAttackers contact details displayed in the ransom notes\r\nSimilarities with Underground Team Ransomware\r\nUnderground Team emerged as a RaaS operation in early to mid 2023. It is still active as of this writing and the\r\nassociated data leak site has entries as recent as December 2024.\r\nhttps://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nPage 7 of 9\n\nUnderground Team data leak site as of January 2025\r\nThe ransom notes for HellCat and Morpheus described in the previous section follow the same template as\r\nanalyzed notes from the Underground Team.\r\nUnderground Team ransom note\r\nDespite this similarity, the ransomware payloads analyzed from the Underground Team are structurally and\r\nfunctionally different from HellCat and Morpheus samples. Presently, there is not sufficient evidence to support\r\nany sort of shared codebase or ‘partnering’ between Underground Team, HellCat and Morpheus. While it is\r\ncompletely possible that there are affiliates that are tied to Underground Team and Hellcat/Morpheus, assuming\r\nany deeper connection would be speculation at this time.\r\nConclusion\r\nHellCat and Morpheus payloads are almost identical and both are atypical to other ransomware families in leaving\r\noriginal file extensions in place after encryption. While it is not possible to assess the full extent of interaction\r\nhttps://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nPage 8 of 9\n\nbetween the owners and operators of these ransomware services, it appears that a shared codebase or possibly a\r\nshared builder application is being leveraged by affiliates tied to both groups.\r\nAs these operations continue to compromise businesses and organizations, understanding how common code is\r\nsourced and shared across these groups can help inform detection efforts and improve threat intelligence regarding\r\nhow these groups operate.\r\nSentinelOne Singularity is capable of detecting and preventing the malicious behaviors and TTPs associated with\r\nHellCat and Morpheus ransomware.\r\nIndicators of Compromise\r\nFiles (SHA1):\r\nb834d9dbe2aed69e0b1545890f0be6f89b2a53c7 “HellCat”\r\nf62d2038d00cb44c7cbd979355a9d060c10c9051 er.bat (Morpheus)\r\nf86324f889d078c00c2d071d6035072a0abb1f73 “Morpheus”\r\nNetwork:\r\nhellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad[.]onion  HellCat DLS\r\nizsp6ipui4ctgxfugbgtu65kzefrucltyfpbxplmfybl5swiadpljmyd[.]onion Morpheus DLS\r\nhellcat[.]locker HellCat file service\r\nPersonas:\r\nh3llr4ns[@]onionmail[.]com\r\nmorpheus[@]onionmail[.]com\r\nSource: https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nhttps://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/"
	],
	"report_names": [
		"hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code"
	],
	"threat_actors": [
		{
			"id": "a602818a-34da-445f-9bac-715cc9b47a3d",
			"created_at": "2025-07-12T02:04:58.190857Z",
			"updated_at": "2026-04-10T02:00:03.850831Z",
			"deleted_at": null,
			"main_name": "GOLD PUMPKIN",
			"aliases": [
				"HellCat"
			],
			"source_name": "Secureworks:GOLD PUMPKIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "13623ffb-4701-4f3d-bf32-8826346433ac",
			"created_at": "2024-12-21T02:00:02.850766Z",
			"updated_at": "2026-04-10T02:00:03.784245Z",
			"deleted_at": null,
			"main_name": "FunkSec",
			"aliases": [],
			"source_name": "MISPGALAXY:FunkSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0263e1e1-4568-410a-a5e4-6932db1d40da",
			"created_at": "2024-06-26T02:00:04.854969Z",
			"updated_at": "2026-04-10T02:00:03.667295Z",
			"deleted_at": null,
			"main_name": "IntelBroker",
			"aliases": [],
			"source_name": "MISPGALAXY:IntelBroker",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439041,
	"ts_updated_at": 1775791902,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8b56cdf8ac2641660351f4a0c587ecaa361564c.pdf",
		"text": "https://archive.orkl.eu/f8b56cdf8ac2641660351f4a0c587ecaa361564c.txt",
		"img": "https://archive.orkl.eu/f8b56cdf8ac2641660351f4a0c587ecaa361564c.jpg"
	}
}