Are HellCat and Morpheus Ransomware Gangs Sharing Code and Tactics?

Recent discoveries in the cybersecurity world have suggested a concerning trend – the emergence of ransomware gangs HellCat and Morpheus, which appear to be sharing code and infrastructure, thus pointing to a deeper level of coordination. Both groups surfaced around mid to late 2024, with researchers uncovering nearly identical ransomware payload structures, implying a shared resource or affiliation.

Shared Code and Operational Techniques

A key observation noted by researchers at SentinelOne is that ransomware payloads from both HellCat and Morpheus retain the original file extensions after encryption. This particular behavior is atypical for other ransomware families and has raised suspicions of a shared codebase or builder application between these two groups. Additionally, the ransom notes used by both gangs follow an identical format, saved as README.txt and opened via notepad, which further underscores a common operational protocol.

Targets and Attacks

HellCat, believed to be operated by notable members of the BreachForums community, has targeted prominent entities, exemplified by a significant attack on Telefónica in January 2025. Morpheus, on the other hand, maintains a lower profile as a semi-private Ransomware-as-a-Service (RaaS) operation. Despite launching a data leak site in December 2024, their activities trace back to September 2024. This resemblance in tactics suggests that affiliates might be leveraging common infrastructures for their attacks.

Similarities in Ransomware Payloads

The theory of a single affiliate behind both campaigns is further supported by the analysis of similar ransomware payloads uploaded to VirusTotal in December 2024. Though differing in victim-specific data and attacker details, the payloads exhibit identical behaviors. They focus on encrypting files and dropping a ransom note without changing file extensions or modifying system settings, strategies tailored to avoid detection.

Connection to Other Ransomware Groups

Interestingly, similarities have also been found between the notes from HellCat/Morpheus and those used by the Underground Team ransomware group, active since early to mid-2023. Despite the similarities in ransom note templates, the Underground Team’s ransomware payloads structurally and functionally differ from those of HellCat and Morpheus. This indicates no direct code sharing or partnership among the three groups but suggests a broader pattern of imitation or inspiration.

Implications of Increased Collaboration

The discoveries point to an increasingly interconnected yet fragmented ransomware ecosystem. The collaboration among various groups is partly driven by law enforcement disruptions of major RaaS operators, which has led to a densely packed and fiercely competitive marketplace. Affiliates are observed frequently shifting between RaaS platforms, reflecting the fluid and dynamic nature of the underground cybercrime environment.

Nation-State Actor Collaboration

Another alarming trend is the growing collaboration between nation-state actors and ransomware groups. These collaborations often involve sharing tactics, techniques, and procedures, further complicating efforts to combat cyber threats. The integration of advanced methods and strategies from nation-state actors into the arsenal of ransomware gangs poses a significant challenge for cybersecurity professionals.

Conclusion

Recent developments in cybersecurity have highlighted a worrisome trend: the appearance of two new ransomware groups, HellCat and Morpheus. These gangs seem to be collaborating closely, sharing both code and infrastructure, which suggests a higher level of coordination between them. Both HellCat and Morpheus emerged around mid to late 2024, and cybersecurity researchers have uncovered ransomware payloads from both groups that are nearly identical. This similarity indicates that they may be using the same resources or might even be affiliated with each other. This revelation is particularly concerning for security experts because it implies that these gangs could harness their combined expertise to create even more sophisticated and damaging ransomware attacks in the future. As these groups collaborate and evolve, the cybersecurity landscape becomes increasingly perilous, requiring even more robust defenses and proactive measures to protect sensitive data and systems. Therefore, organizations need to stay vigilant and continuously update their cybersecurity strategies to counteract these emerging threats effectively.

Explore more

Vivo X Fold 6 – Review

The arrival of the Vivo X Fold 6 marks a pivotal moment where foldable devices transcend their status as fragile novelties to become the primary choice for power users. This transition represents a significant advancement in the mobile sector, pushing the boundaries of what a single handset can accomplish. By merging a book-style form factor with the raw performance of

Oppo Reno16 Series – Review

The modern smartphone market has reached a peculiar crossroads where the distinction between mid-range utility and flagship luxury is no longer defined by features but by the audacity of a manufacturer’s pricing strategy. Traditional product cycles often prioritize incremental updates, but this latest iteration signals a departure from conservative engineering. By integrating components usually reserved for the highest echelon of

AI Adoption Fails Without Proper Workforce Readiness

Ling-yi Tsai is a formidable force in the HRTech sector, possessing decades of experience guiding global organizations through the complex labyrinth of digital evolution. Her mastery of HR analytics and her tactical approach to integrating technology across recruitment and talent management have made her a sought-after advisor for companies looking to bridge the gap between human potential and machine efficiency.

The Human Infrastructure Powering Artificial Intelligence

The seamless flicker of a chatbot’s reply or the effortless lane change of a driverless vehicle often masks a vast, invisible network of human cognitive labor that makes such digital grace possible. While the marketing of advanced technology frequently paints a picture of silicon brains evolving in isolation, the underlying reality is a global assembly line of human intelligence. Every

Bruce Clay Leaves a Lasting Legacy as the Father of SEO

The Architect of an Industry and the Importance of Digital Frameworks The digital landscape we navigate today was not born out of thin air but was meticulously shaped by a few visionary thinkers who saw the potential of the internet long before it became a global marketplace. Among these pioneers, Bruce Clay stood as a singular figure whose influence spanned