morpheus

Ransomware group profile

9Victims

63Impact score

Description

Morpheus is a ransomware and data extortion group that emerged in late 2024, offering a Ransomware-as-a-Service (RaaS) model. They utilize ransomware payloads that exhibit shared characteristics with the HellCat operation and employ distinct techniques that preserve original file extensions while encrypting data.

Key insights

•Morpheus utilizes a 64-bit portable executable ransomware payload, typically around 18KB in size.
•Initial access methods are not publicly detailed, but the RaaS model suggests multiple approaches used by affiliates.
•Ransom demands can reach up to 32 Bitcoin, equivalent to approximately $3 million USD.
•The ransomware intentionally excludes specific file extensions from encryption to evade detection.
•Victims are pressured through a data leak site where stolen data is listed.
•Morpheus operates without modifying system settings or establishing persistence mechanisms.

Industries

Energy & Utilities Financial Services Government & Defense Hospitality Manufacturing Other Professional Services Technology

Threat Level & Status Breakdown

For morpheus · Based on incidents in selected period

0.8threat level

Aggressiveness2.3/ 10

Lethality0/ 10

Criticality0/ 10

Status Breakdown

Claimed22.2%2

First seenNov 2025

Last seenMay 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 2, 2026

Recent activity

Monthly attack count for morpheus in the selected period

9Total attacks

2peak in Dec

1.3avg / month

Intelligence

IOCs, YARA/Sigma rules, and related families for morpheus

a53a9ca8a074c7108f8412c3f8c1fc5d
77962a384d251f0aa8e3008a88f206d6cb1f7401c759c4614e3bfe865e3e985c
08f630cc1005bad662dcdd478fff28d3
05345610bfd83486359aba9d4bf6ffe2
3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
7fc65b23e0a85f548e4268b77b66a3c9f3d08b9c1817c99bc1336d51d36e1ec6
7007cf53bcd0083baba202d8ac2d9070
a98dcdee82f6066a4cf2f9d7d161a1bacec8f81d
d1038be644a0da3ba05922fa27db4167a6e17451
1e074d9dca6ef0edd24afb2d13ca4429def5fc5486cd4170c989ef60efd0bbb0
5b492a70c2bbded7286528316d402c89ae5514162d2988b17d6434ead5c8c274
f86324f889d078c00c2d071d6035072a0abb1f73
75612233d32768186d0557dd39abbbd3284a2a29
93aa8b0f950a7ea7f0cee2ba106efaacf673bb2b504ca0b9e87f9ea41acfb599
e502b8d617a2cd9bfa41762282a0ff81
3403b92056d7645acfb7236824cc58b15e4d5395
2833c82055bf2d29c65cd9cf6684449a
448c59b6dec2802fb38937daed57cb378f5cc84a
fd452da0d978514adaeee1dd5227212aad00bf07f2481d335eed77a4ee08a5e8
7a96d9f7a25a67ec2873bb814cb0ba104d3b7c1651f65ff09d8e1f76cba6fb79

View full IOC feed74 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for morpheus

Other

T1486

T1490

T1562

T1078

T1047

T1059

T1027

T1046

T1021.001

T1499

T1547

T1080

Victims(9)

Company	Domain	Country	Industry	Status	Discovered
BAYTECH A/S	—	DK Denmark	Professional Services	Unknown	21 days ago
GGI	—	MM Myanmar	Financial Services	Claimed	about 1 month ago
SBCTANZANIA	—	TZ Tanzania	Financial Services	Claimed	2 months ago
New publication	—	—	Technology	Unknown	3 months ago
SURTECHINC	surtechinc.kr	KR South Korea	Manufacturing	Unknown	3 months ago
SUNSETWORLDRESORTS	sunsetworldresorts.com	MX Mexico	Hospitality	Unknown	4 months ago
VALLEREDONDO	valleredondo.com.mx	ES Spain	Other	Unknown	5 months ago
SCIPIONI	scipioni.be	BE Belgium	Energy & Utilities	Unknown	6 months ago
Teamglobal	teamglobal.com	IN India	Professional Services	Unknown	7 months ago

Affected countries(27)

Countries where this group has been reported to target or leak victims.