Cephalus Ransomware: A Rising Threat Exploiting RDP Vulnerabilities Since mid-2025, the Cephalus ransomware has emerged as a sophisticated threat, targeting Windows systems through unsecured Remote Desktop Protocol (RDP) access. Written in Go, this malware employs double extortion, stealing and encrypting data before demanding payment. Attackers exploit stolen RDP credentials often due to the absence of multi-factor authentication (MFA) to gain initial access. Once inside, they exfiltrate data via MEGA cloud storage and deploy the ransomware using DLL sideloading, leveraging the legitimate SentinelOne executable SentinelBrowserNativeHost.exe to load malicious components (SentinelAgentCore.dll and data.bin). Cephalus uses hybrid encryption, combining AES-256-CTR for file encryption and RSA-1024 to secure the AES key. To evade analysis, it generates fake AES keys (e.g., "FAKE_AES_KEY_FOR_CONFUSION_ONLY!") and employs secure memory handling techniques like VirtualLock and XOR masking to avoid detection in memory dumps. ### Attack Chain & Evasion Tactics The ransomware follows a structured kill chain, including: - Execution & Persistence: Code injection via VirtualAlloc and VirtualProtect, alongside scheduled tasks for reboot survival. - Discovery: Gathering system intel using APIs like GetSystemInfo, RtlGetVersion, and Toolhelp32Snapshot to tailor attacks and evade sandboxes. - Defense Evasion: Disabling Windows Defender via PowerShell commands, registry edits (DisableRealtimeMonitoring, DisableAntiSpyware), and stopping security services (WinDefend, Sense). - Impact: Deleting Volume Shadow Copies, enumerating network drives, and encrypting files with the .sss extension. Ransom notes (recover.txt) include proof-of-theft links to GoFile.io and references to past victims for added pressure. ### Defensive Measures & Emulation Security firm AttackIQ released a 2026 emulation graph replicating Cephalus’s Tactics, Techniques, and Procedures (TTPs), based on reports from Huntress (August 2025) and AhnLab (December 2025). The emulation tests controls across execution, evasion, discovery, and impact, helping organizations validate detections against opportunistic ransomware. Key indicators of compromise (IOCs) include: - SHA256: a34acd47127196ab867d572c2c6cf2fcccffa3a7a87e82d338a8efed898ca722 - File extension: .sss - Suspicious activity: PowerShell/reg.exe commands, DLL sideloading in Downloads folders To mitigate risks, security teams are advised to enforce MFA on RDP, monitor DLL sideloading, block MEGA cloud abuse, and harden Windows Defender via group policies. As Cephalus evolves, continuous validation remains critical to maintaining resilience against such threats.

SentinelOne, an American endpoint protection solutions provider, was targeted in a supply chain attack by Chinese hackers. The attack involved exploiting vulnerabilities in network devices and using malware to gain access to the company's systems. The hackers aimed to compromise SentinelOne's infrastructure to access downstream corporate networks and develop evasion methods. Despite the attempts, SentinelOne reported no compromise of its software or hardware.

OrBit Linux Rootkit Evolves Over Four Years, Becomes Shared Tool for Cyber Threats A stealthy Linux rootkit known as OrBit has been actively abused by threat actors for over four years, evolving from a custom-built tool into a widely adopted malware framework. Initially documented in 2022, OrBit was later revealed to be a repackaged version of Medusa, an open-source LD_PRELOAD rootkit published on GitHub in late 2022. Rather than developing new malware, attackers have modified and redeployed this publicly available codebase with varying configurations, credentials, and evasion techniques. ### How OrBit Operates OrBit functions as a userland rootkit, hijacking the system’s dynamic linker (ld.so) to inject a malicious shared library into every running process. This allows it to: - Intercept authentication flows by hooking into Pluggable Authentication Modules (PAM), capturing SSH and sudo credentials. - Store stolen credentials in hidden directories (e.g., `/lib/libseconf/`). - Hide its presence by manipulating over 40 libc functions, masking files, processes, and network connections from administrators. Unlike traditional malware, OrBit operates as a passive implant, avoiding direct command-and-control (C2) communication. Instead, attackers access compromised systems via a hidden SSH backdoor. ### Evolution and Variants Researchers have identified two primary variants of OrBit: 1. Lineage A – A full-featured version with credential harvesting, network hiding, packet capture, and backdoor access. 2. Lineage B – A lighter variant with reduced functionality, likely designed to minimize detection. Over time, attackers have rotated credentials, adjusted installation paths, and introduced compatibility fixes (e.g., a custom `xread` function to prevent system instability). Key developments include: - 2025: Introduction of audit log evasion and an advanced PAM hook capable of manipulating authentication outcomes. - 2025: Shift to a multi-stage infection chain, including a dropper and infector that spreads via cron jobs and downloads payloads from remote domains a first for OrBit. - 2026: Continued refinement, with infrastructure overlaps observed with the RHOMBUS botnet. ### Widespread Adoption by Threat Actors OrBit is no longer tied to a single group. Multiple threat actors have deployed it, including: - BLOCKADE SPIDER (ransomware-linked) - UNC3886 (state-backed espionage group) This adoption highlights a broader trend: Linux environments, including critical infrastructure and virtualized systems, are increasingly targeted by shared malware toolkits. ### Detection and Indicators of Compromise (IOCs) Despite superficial changes (e.g., file paths, passwords), OrBit’s core behaviors remain consistent. Defenders are advised to monitor for: - Hidden filesystem artifacts (e.g., `/lib/libseconf/`). - Credential harvesting activity via PAM hooks. - Known hashes (see partial list below). #### Sample IOCs (SHA-256) | Hash | Year | Role | Lineage | |------|------|------|---------| | `40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020` | 2022 | Payload | A | | `3ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a` | 2023 | Payload | B | | `a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a349` | 2024 | Payload | A | | `04c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c9` | 2025 | Infector | | | `d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f` | 2026 | Payload | A | OrBit’s persistence and adaptability underscore the growing sophistication of Linux-targeted threats, with attackers leveraging open-source tools to evade detection and maintain long-term access.

Cybercriminals Weaponize Legitimate Windows Driver to Disable Security Tools in Large-Scale Attacks A sophisticated cyberattack campaign is exploiting a trusted Windows kernel driver truesight.sys, part of Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions before deploying ransomware or remote access malware. The attack leverages over 2,500 validly signed variants of the vulnerable driver, bypassing Microsoft’s security controls by abusing legacy driver signing rules. Originally exposed by Check Point researchers, the technique allows threat actors to load pre-2015 signed drivers on modern Windows 11 systems, granting them kernel-level privileges to terminate security processes undetected. MagicSword analysts later confirmed the method’s rapid adoption by multiple threat groups, including financially motivated actors and advanced persistent threat (APT) groups. The driver’s IOCTL command enables attackers to forcibly kill nearly 200 security products, from CrowdStrike and SentinelOne to Kaspersky and Symantec, leaving systems exposed to ransomware like HiddenGh0st or other payloads. The infection chain typically begins with phishing emails, fake download sites, or compromised Telegram channels, tricking users into running a disguised installer. The malware then establishes persistence via scheduled tasks and DLL side-loading, deploys an obfuscated EDR killer module, and installs the TrueSight driver as a Windows service (often named TCLService). With security tools neutralized at the kernel level, the final payload executes with minimal resistance sometimes within 30 minutes of initial compromise. The attack’s high evasion rate and reliance on signature-based defenses make it particularly dangerous for enterprises, as victims often only detect the breach after encryption or data exfiltration has occurred. The campaign’s scale and effectiveness highlight the growing threat of legitimate driver abuse in modern cyberattacks.