Recent months have seen increased activity in new ransomware operations, including HellCat and Morpheus. Analysis of payloads from both operations reveals that affiliates are using almost identical code. The ransomware samples, uploaded to VirusTotal in December 2024, share similarities in behavior and structure. Both use Windows Cryptographic API for encryption, exclude certain file extensions and folders, and do not alter file extensions after encryption. The ransom notes follow a similar template, with slight differences in contact details. Despite similarities with Underground Team ransomware notes, there's insufficient evidence to confirm a direct connection. Understanding shared code across these groups can improve detection efforts and threat intelligence.