Morpheus

Also known asMorpheus

Morpheus is a ransomware operation observed in 2025 and 2026. Reporting links it to ransomware attacks against a South Korean plating company and to the alleged theft of more than 680 GB of data from HDFC Asset Management Company (HDFC AMC), after which the Bombay High Court issued a temporary injunction to prevent the group from publishing or disclosing the stolen information. Dragos listed Morpheus among new or emerging ransomware groups observed in Q1 2025. SentinelLABS reported that HellCat and Morpheus were essentially two distinct ransomware brands deploying identical payloads, indicating rebranding or shared tooling that complicates attribution. Based on the provided content, Morpheus is a financially motivated cybercriminal ransomware actor; no high-confidence nation-state attribution is stated. Known alias in the provided content: morpheus.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Financial Services

Where they target

Geographies tied to known operations.

🇮🇳 India

MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics2 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0010

Exfiltration

1 technique

T1567

Exfiltration Over Web Service

TA0040

Impact

1 technique

T1486

Data Encrypted for Impact

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cysecurity newsNews

Jun 13, 2026

Bombay High Court Restrains ‘Morpheus’ Ransomware Group From Sharing HDFC AMC’s Stolen Data - CySecurity News - Latest Information Security and Hacking Incidents

Allegedly conducted a ransomware-related data theft incident against HDFC Asset Management Company and claimed to have extracted more than 680 GB of critical company data, with threatened publication or disclosure of the stolen information.

barghestNews

Apr 1, 2026

CVE-2026-0073 Android adbd TLS client-authentication bypass

Android spyware observed abusing Accessibility workflows to enable Developer options, turn on wireless debugging, and locally pair with adbd. The content explicitly states Morpheus did not use CVE-2026-0073, but it automated the prerequisite device state relevant to the vulnerability.

ahnlab asec blogNews

Mar 4, 2026

Ransom & Dark Web Issues Week 1, March 2026 - ASEC

Reported to have conducted a ransomware attack against a South Korean plating company.

sentinelone blogNews

Jan 6, 2026

12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review

A ransomware operation sharing codebase with HellCat, part of the trend of commoditized and rebranded ransomware in the RaaS ecosystem.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.