Morpheus Claims 680 GB Theft From HDFC AMC After VMware Systems Disruption
HDFC Asset Management Company disclosed a cyber incident after its IT administrator detected unusual activity on 16 May and found parts of its on-premises VMware environment inaccessible, including VPN, SFTP, and antivirus management servers. The company told the Bombay High Court that it later received an email from a threat actor calling itself Morpheus, which claimed to have exfiltrated more than 680 GB of critical data; the group subsequently listed the firm as HDFC FUND on its Tor leak site, indicating an active extortion campaign. HDFC AMC said it activated incident-response measures and notified SEBI and stock exchanges after the breach.
Court filings and reporting indicate the stolen material may include customer PII, PAN details, bank account information, investment records, employee records, and proprietary investment analysis, raising risks of identity theft, fraud, and strategic business exposure. HDFC AMC warned investors about possible SIM-swap attacks that could enable OTP interception and account takeover. On 29 May, the Bombay High Court issued an ex parte interim injunction restraining Morpheus from publishing or sharing the data and directed the Union government to seek removal or blocking of related online accounts, although the practical impact may be limited against Tor-hosted infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Bombay High Court schedules further hearing in HDFC AMC case
The matter was scheduled for further hearing before the Bombay High Court on June 16. This followed the interim injunction issued against Morpheus over the alleged theft and threatened disclosure of HDFC AMC data.
Morpheus lists HDFC AMC on its leak site as 'HDFC FUND'
On June 10, Morpheus listed HDFC AMC as 'HDFC FUND' on its Tor-based leak site. The posting indicated the extortion attempt had progressed beyond a private claim to public leak-site exposure.
Bombay High Court issues interim injunction against Morpheus
On May 29, the Bombay High Court issued an ex parte interim injunction restraining the Morpheus ransomware group from publishing or disclosing HDFC AMC's allegedly stolen data. The court also directed the Union government to take steps to remove, block, disable, and delete online accounts associated with the stolen information.
HDFC AMC notifies SEBI and stock exchanges about the incident
On May 16, HDFC AMC notified the Securities and Exchange Board of India and stock exchanges about the cybersecurity incident. This was part of the company's formal response following detection of the compromise.
Morpheus claims exfiltration of more than 680 GB from HDFC AMC
Also on May 16, HDFC AMC found an email from a threat actor calling itself Morpheus claiming it had exfiltrated more than 680 GB of critical company data. The claim marked the start of an apparent data-extortion campaign tied to the intrusion.
HDFC AMC detects unusual activity and inaccessible VMware systems
On May 16, HDFC AMC's IT administrator detected unusual activity and found parts of the company's on-premises VMware environment inaccessible, including VPN, SFTP, and antivirus management servers. The company activated its cybersecurity response protocols after discovering the disruption.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
HDFC AMC Data Breach 2026: Morpheus, 680 GB & What It Means | The CyberSec Guru
thecybersecguru.com
Open sourceBombay High Court Restrains ‘Morpheus’ Ransomware Group From Sharing HDFC AMC’s Stolen Data - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Hackers Claim InfoDesk Breach Exposed Employee Data at Pharma and Financial Firms
A threat actor has claimed to have breached enterprise intelligence software provider **InfoDesk** and is offering the allegedly stolen data for sale on a dark web forum. Reporting indicates the sample data included five records from each of 18 organizations, along with InfoDesk records, and the actor claimed to hold as many as 1,000 records in total. The exposed information reportedly consists primarily of employee full names and corporate email addresses tied to major organizations, including firms in the pharmaceutical, healthcare, financial, consulting, and nonprofit sectors; Cybernews specifically said the data involved employees at companies such as **Moderna**, **Johnson & Johnson**, and **Bayer**. Researchers said the immediate danger is not large-scale identity theft but highly targeted phishing and social-engineering attacks. Because the records appear linked to a known enterprise vendor, attackers could use the contact details to craft convincing lures for credential theft, malware delivery, or follow-on business email compromise. The alleged incident adds to broader concerns over third-party supplier exposure, where compromises at service providers can create downstream risk for multiple corporate customers at once.
May 25, 2026
Medtronic Confirms Corporate IT Breach Amid Claims of 9 Million Records Stolen
Medtronic said an unauthorized party accessed data in portions of its corporate IT environment and that it has contained the incident, activated response procedures, and engaged external cybersecurity experts. The company said it has not identified any impact on **products**, **patient safety**, customer connections, manufacturing and distribution operations, financial reporting systems, or its ability to meet patient needs, stressing that corporate IT, product, manufacturing, and hospital customer networks are segmented. The disclosure followed extortion claims tied to **ShinyHunters**, which said it stole more than **9 million records** containing personally identifiable information along with terabytes of internal corporate data and briefly listed Medtronic on its leak site before the entry disappeared. Medtronic said its investigation is ongoing to determine whether personal data was accessed and that it will notify affected individuals and provide support services if exposure is confirmed, while separate reporting also linked the incident to **Handala**, underscoring uncertainty around attribution even as the breach itself has been confirmed.
May 7, 2026
ShadowByt3s Claims Ellucian PowerCampus Breach Exposed Indian School Records
ShadowByt3s claimed it breached the Ellucian PowerCampus education platform by exploiting misconfigured Amazon S3 buckets and Azure Blob storage operated by Indian managed service provider Neoskool, exposing data tied to more than eight schools in Manipur and Meghalaya. The leaked information reportedly includes student and staff photos, Aadhaar numbers, plaintext passwords, medical alerts, marksheets, fee records, certificates, class schedules, and daily database exports, affecting children from Nursery through Class 12 as well as school personnel. The actor said it is extorting Ellucian PowerCampus rather than the individual schools and has posted sample data on both clearnet and Tor leak sites. Reports also cite AWS canary evidence indicating write and delete access to cloud storage, raising the risk of destructive tampering in addition to data theft, while the group has simultaneously advertised for insiders with a **30/70 revenue split** as part of its broader **"Campaign Operation Cloud."**
Apr 17, 2026