Morpheus is a newly identified ransomware group that launched its operations in late 2024, with activity surging in December 2025. Technical analysis confirms a definitive code overlap with the HellCat ransomware family, suggesting a shared builder or a rebranding effort by the same core developers.

Unlike traditional RaaS groups that prioritize volume, Morpheus operates as a “semi-private” cartel, focusing on high-value “Big Game Hunting” targets in the pharmaceutical and manufacturing sectors.

Victimology

• Primary Sectors: Pharmaceuticals, Electronics Manufacturing, Critical Infrastructure.
• Geographic Focus: Europe (Germany) and APAC (Australia).
• Confirmed Victims:
  • PUS GmbH (Germany): Claimed December 20, 2025. Data exfiltrated includes technical schematics and full customer SQL databases.
  • Arrotex Pharmaceuticals (Australia): 2.5TB of sensitive data alleged stolen.

Malware Analysis & Cryptography

The Morpheus payload is a 64-bit Portable Executable (PE) that exhibits several unique behaviors distinct from the standard ransomware playbook:

• Extension-less Encryption: Unlike most ransomware that appends a custom extension (e.g., .lockbit), Morpheus does not alter file extensions. Encrypted files retain their original names (e.g., document.pdf remains document.pdf), complicating identification during incident response triage.
• Encryption Routine:
  • Leverages the Windows Cryptographic API (BCrypt) for key generation.
  • Uses AES-256 for file encryption.
  • Skips critical system files (.dll, .sys, .exe, .drv) to ensure the OS remains bootable for negotiation.
• Execution Requirements: The binary requires specific command-line arguments to execute, a technique designed to thwart automated sandbox analysis.

Indicators of Compromise (IOCs)

File Artifacts

• Ransom Note: _README_.txt (Identical template to HellCat and Underground Team notes).
• Payload Behavior: No persistence mechanisms (Scheduled Tasks/Registry Run keys) are created; the ransomware runs once and terminates.
• File Path: Often dropped in C:\Users\Public\ before execution.

Network Infrastructure

• Leak Site: Hosted on Tor. The site employs a “gated” login mechanism, preventing security scrapers from indexing victim data without valid credentials.
• Command & Control: No beaconing observed; operation appears to be offline encryption after manual deployment.