Kyber ransomware hit Windows and ESXi in coordinated cross-platform attacks
Rapid7 reported that a Kyber ransomware affiliate deployed two distinct payloads in the same March 2026 intrusion, targeting both VMware ESXi infrastructure and Windows file servers to maximize operational disruption. The ESXi variant encrypted VMware datastore files, could optionally terminate virtual machines, and defaced SSH and web management interfaces with ransom notes. The Windows variant targeted core file systems and added broader impact features, including killing backup-, database-, and IIS-related services, deleting shadow copies, disabling recovery options, clearing event logs, and testing an experimental Hyper-V shutdown capability.
The two samples shared the same campaign ID and Tor-based negotiation and leak infrastructure, linking them to the same affiliate, but their internals differed sharply. Rapid7 found the ESXi payload falsely advertised post-quantum protection with Kyber1024; in practice, it used ChaCha8 with RSA-4096 key wrapping. By contrast, the Windows variant, written in Rust, appeared to implement the claimed hybrid scheme using AES-256-CTR, Kyber1024, and X25519. Public reporting indicates the group remains relatively new, with limited prior technical analysis and only one victim publicly listed on its extortion site: a large U.S. defense contractor and IT services provider.
Timeline
Apr 22, 2026
Kyber extortion site shows one publicly listed victim
At the time of BleepingComputer's reporting, only one victim was visible on the Kyber leak portal, described as a multi-billion-dollar American defense contractor and IT services provider. This reflected limited public victim disclosure despite the group's recent emergence.
Apr 21, 2026
Rapid7 analyzes Kyber's ESXi and Windows payloads
Rapid7 determined the ESXi variant could encrypt VMware datastores, terminate virtual machines, and deface SSH and web management interfaces, while the Windows variant could kill services, delete shadow copies, disable recovery, clear logs, and optionally shut down Hyper-V. The analysis also found the ESXi sample falsely claimed Kyber1024 encryption and actually used ChaCha8 with RSA-4096, whereas the Windows sample appeared to implement AES-256-CTR with Kyber1024 and X25519.
Mar 1, 2026
Kyber ransomware affiliate deploys ESXi and Windows variants in one incident
During a March 2026 incident response engagement, Rapid7 recovered two Kyber ransomware payloads used in the same attack: one targeting VMware ESXi and another targeting Windows file servers. The shared campaign ID and Tor-based ransom infrastructure indicated a coordinated cross-platform deployment by the same affiliate.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Sources
1 more from sources like rapid7 blog
Related Stories
LockBit 5.0 Ransomware Expands Cross-Platform Attacks on Windows, Linux, and VMware ESXi
Acronis Threat Research Unit reported active campaigns using **LockBit 5.0**, a major update to the **LockBit** ransomware-as-a-service (RaaS) operation that broadens targeting across **Windows, Linux, and VMware ESXi** in coordinated intrusions. The variant continues **double extortion** (data theft plus encryption) and is positioned for enterprise impact by enabling attackers to hit endpoints, servers, and hypervisors—where a single ESXi compromise can disrupt many virtual machines at once. Reporting also notes the group’s claimed ability to operate against **Proxmox** virtualization environments, further expanding the potential attack surface in organizations adopting alternative hypervisors. Technical analysis highlights stronger and more enterprise-focused builds, with the **Windows** payload using advanced defense-evasion and anti-analysis techniques such as packing/obfuscation, **DLL unhooking**, **process hollowing**, and **ETW (Event Tracing for Windows) patching**, alongside log-clearing to reduce forensic visibility. The **Linux/ESXi** builds are described as less reliant on packing but use extensive string encryption to hinder detection, while maintaining strong encryption routines and using randomized file extensions; Acronis-linked reporting also cites faster encryption and continuity with LockBit 4’s design. Victimology cited in coverage indicates a heavy focus on the **U.S. business sector** and a broad spread across industries (including manufacturing, healthcare, education, financial services, and government), with dozens of recent leak-site postings used to pressure victims and demonstrate ongoing operational tempo despite law-enforcement disruption efforts.
1 months ago
CISA Flags VMware ESXi CVE-2025-22225 as Exploited in Ransomware Campaigns
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) updated its Known Exploited Vulnerabilities (**KEV**) catalog to indicate that **CVE-2025-22225**, a high-severity VMware ESXi *VMX sandbox escape* flaw, is now **known to be used in ransomware campaigns**. Broadcom patched the issue in March 2025 as part of advisory `VMSA-2025-0004`, describing CVE-2025-22225 as an **arbitrary kernel write** reachable by an attacker with privileges in the `VMX` process, enabling escape from the VMX sandbox to the ESXi kernel. The same advisory also addressed two other zero-days—**CVE-2025-22224** (TOCTOU leading to out-of-bounds write/code execution as the VMX process) and **CVE-2025-22226** (HGFS out-of-bounds read/memory disclosure)—which Broadcom previously tagged as actively exploited in the wild. Reporting also tied the ESXi exploitation to earlier sophisticated activity: Huntress described Chinese-speaking threat actors leveraging access via a compromised SonicWall VPN to deliver tooling targeting VMware ESXi and chaining a VM escape technique that appeared to predate public disclosure of the March 2025 ESXi zero-days. Separately, GreyNoise research highlighted a broader KEV-catalog visibility gap, finding that CISA **quietly “flipped”** dozens of KEV entries during 2025 from “Unknown” to “Known” for ransomware use without prominent public notification—an approach that can materially affect enterprise prioritization when a vulnerability’s status changes to confirmed ransomware exploitation.
1 months ago
Attackers Use QEMU Hidden VMs to Steal Data and Deliver PayoutsKing Ransomware
Sophos reported that threat actors are increasingly abusing **QEMU** to launch hidden virtual machines on compromised systems, allowing credential theft, reconnaissance, covert access, data exfiltration, and ransomware staging to occur outside the visibility of many endpoint security tools. The activity was tied to two campaigns, `STAC4713` and `STAC3725`, in which attackers deployed lightweight Alpine Linux VMs that left minimal forensic evidence on the host while supporting tools such as AdaptixC2, Chisel, Rclone, `wg-obfuscator`, Impacket, BloodHound.py, Kerbrute, and Metasploit. `STAC4713` was linked to the **GOLD ENCOUNTER / PayoutsKing** ransomware operation and used scheduled tasks, reverse SSH tunnels, and QEMU-hosted tooling after gaining access through exposed SonicWall VPNs without MFA and exploitation of SolarWinds Web Help Desk `CVE-2025-26399`; Sophos said the group later also used phishing and fake Microsoft Teams IT support, and in some intrusions shifted from QEMU to Havoc C2 sideloading via `ADNotificationManager.exe` with exfiltration through Rclone. In `STAC3725`, attackers exploited **CitrixBleed2** (`CVE-2025-5777`), installed a malicious ScreenConnect client, created a rogue local administrator account, and used a QEMU VM to manually assemble an attack toolkit, underscoring a broader trend of adversaries using virtualization platforms including QEMU, Hyper-V, and VMware to evade detection and complicate incident response.
Today