Cephalus ransomware abuses SentinelOne executable for DLL sideloading

The new Cephalus ransomware group abuses legitimate SentinelOne executables to deploy its payload via dynamic-link library (DLL) sideloading, according to Huntress.

Cephalus appears to have first emerged in June 2025 according to a report by InsecureWeb, and was observed by Huntress in two mid-August intrusion attempts, one of which was blocked by Windows Defender.

The attackers gain initial access via the Remote Desktop Protocol (RDP), leveraging compromised accounts that don’t have multi-factor authentication (MFA) enabled, and establish a connection to the cloud storage platform MEGA prior to ransomware deployment.

The group is suspected to use MEGA for data exfiltration. The ransomware is then deployed through DLL sideloading with the legitimate SentinelOne executable SentinelBrowserNativeHost.exe.

Huntress found that both of its affected customers used legitimate SentinelOne services, with SentinelBrowserNativeHost.exe found in the targets’ Downloads folders. The attackers use the SentinelOne executable to load SentinelAgentCore.dll; the DLL subsequently launches data.bin, which contains the ransomware code.

The ransomware runs numerous anti-recovery and anti-detection commands that appear as child processes of SentinelBrowserNativeHost.exe. These include commands to delete shadow copies, create Windows Defender exclusions and disable Windows Defender functions, according to Huntress.

The Cephalus ransom note indicates the attacker has financial motives and uses double extortion tactics to threaten the victim into contacting Cephalus for ransom negotiations. The attacker provides both a Tox chat ID and Proton Mail email address as contact options.

In the most recent August attacks, the ransomware note also included links to reports about Cephalus’ claimed attacks, including the InsecureWeb report from July and a report by Dark Web Informer on Aug. 12, 2025.

These reports indicate Cephalus has previously claimed responsibility for attacks on the U.S. architecture firm BAR Architects & Interiors, and the U.S. law practice Sherman Silverstein.

Huntress’ blog promotes awareness of Cephalus’ unique tactics, including DLL sideloading of a legitimate cybersecurity executable and use of external reports about its activity for intimidation, and provides indicators of compromise (IoCs) that can be leveraged to defend against this emerging threat.