Cephalus is a newly observed ransomware operation that abuses a legitimate SentinelOne executable, SentinelBrowserNativeHost.exe, to sideload a malicious DLL (SentinelAgentCore.dll) and load a data.bin payload, enabling stealthy deployment that can bypass conventional EDR heuristics in some cases. The group was seen in two incidents on August 13 and August 16, 2025, where initial access occurred via compromised RDP accounts lacking MFA, followed by data exfiltration to MEGA before execution; one attempt was blocked by Microsoft Defender, while another led to encryption with the .sss extension and a recover.txt note. Post-launch, the malware deletes shadow copies with vssadmin, adds Windows Defender exclusions, disables real-time and behavior monitoring via registry keys, and stops services like WinDefend, WdNisSvc, Sense, and SecurityHealthService through hidden PowerShell, indicating robust defense evasion. Ransom notes reference earlier public posts (e.g., July 9 and Aug. 12) to bolster credibility and may provide GoFile links for sample data verification, reflecting a dual-extortion model. Broadcom also lists .sss and recover.txt as Cephalus indicators, reinforcing these observations.