Kyber ransomware hit Windows and ESXi in coordinated cross-platform attacks
Rapid7 reported that a Kyber ransomware affiliate deployed two distinct payloads in the same March 2026 intrusion, targeting both VMware ESXi infrastructure and Windows file servers to maximize operational disruption. The ESXi variant encrypted VMware datastore files, could optionally terminate virtual machines, and defaced SSH and web management interfaces with ransom notes. The Windows variant targeted core file systems and added broader impact features, including killing backup-, database-, and IIS-related services, deleting shadow copies, disabling recovery options, clearing event logs, and testing an experimental Hyper-V shutdown capability.
The two samples shared the same campaign ID and Tor-based negotiation and leak infrastructure, linking them to the same affiliate, but their internals differed sharply. Rapid7 found the ESXi payload falsely advertised post-quantum protection with Kyber1024; in practice, it used ChaCha8 with RSA-4096 key wrapping. By contrast, the Windows variant, written in Rust, appeared to implement the claimed hybrid scheme using AES-256-CTR, Kyber1024, and X25519. Public reporting indicates the group remains relatively new, with limited prior technical analysis and only one victim publicly listed on its extortion site: a large U.S. defense contractor and IT services provider.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Kyber extortion site shows one publicly listed victim
At the time of BleepingComputer's reporting, only one victim was visible on the Kyber leak portal, described as a multi-billion-dollar American defense contractor and IT services provider. This reflected limited public victim disclosure despite the group's recent emergence.
Rapid7 analyzes Kyber's ESXi and Windows payloads
Rapid7 determined the ESXi variant could encrypt VMware datastores, terminate virtual machines, and deface SSH and web management interfaces, while the Windows variant could kill services, delete shadow copies, disable recovery, clear logs, and optionally shut down Hyper-V. The analysis also found the ESXi sample falsely claimed Kyber1024 encryption and actually used ChaCha8 with RSA-4096, whereas the Windows sample appeared to implement AES-256-CTR with Kyber1024 and X25519.
Kyber ransomware affiliate deploys ESXi and Windows variants in one incident
During a March 2026 incident response engagement, Rapid7 recovered two Kyber ransomware payloads used in the same attack: one targeting VMware ESXi and another targeting Windows file servers. The shared campaign ID and Tor-based ransom infrastructure indicated a coordinated cross-platform deployment by the same affiliate.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Kyber ransomware is not just post-quantum name-dropping | Derp
derp.ca
Open sourceKyber Ransomware Double Trouble: Windows and ESXi Attacks Explained - Infosec.Pub
infosec.pub
Open sourceIn a first, a ransomware family is confirmed to be quantum-safe - Ars Technica
arstechnica.com
Open sourceKyber ransomware targets Windows and ESXi with post-quantum encryption claims | brief | SC Media
scworld.com
Open sourceKyber ransomware gang toys with post-quantum encryption on Windows
bleepingcomputer.com
Open sourceKyber Ransomware Double Trouble: Windows and ESXi Attacks Explained
rapid7.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LockBit 5.0 Ransomware Expands Cross-Platform Attacks on Windows, Linux, and VMware ESXi
Acronis Threat Research Unit reported active campaigns using **LockBit 5.0**, a major update to the **LockBit** ransomware-as-a-service (RaaS) operation that broadens targeting across **Windows, Linux, and VMware ESXi** in coordinated intrusions. The variant continues **double extortion** (data theft plus encryption) and is positioned for enterprise impact by enabling attackers to hit endpoints, servers, and hypervisors—where a single ESXi compromise can disrupt many virtual machines at once. Reporting also notes the group’s claimed ability to operate against **Proxmox** virtualization environments, further expanding the potential attack surface in organizations adopting alternative hypervisors. Technical analysis highlights stronger and more enterprise-focused builds, with the **Windows** payload using advanced defense-evasion and anti-analysis techniques such as packing/obfuscation, **DLL unhooking**, **process hollowing**, and **ETW (Event Tracing for Windows) patching**, alongside log-clearing to reduce forensic visibility. The **Linux/ESXi** builds are described as less reliant on packing but use extensive string encryption to hinder detection, while maintaining strong encryption routines and using randomized file extensions; Acronis-linked reporting also cites faster encryption and continuity with LockBit 4’s design. Victimology cited in coverage indicates a heavy focus on the **U.S. business sector** and a broad spread across industries (including manufacturing, healthcare, education, financial services, and government), with dozens of recent leak-site postings used to pressure victims and demonstrate ongoing operational tempo despite law-enforcement disruption efforts.
Mar 21, 2026
CISA Flags VMware ESXi CVE-2025-22225 as Exploited in Ransomware Campaigns
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) updated its Known Exploited Vulnerabilities (**KEV**) catalog to indicate that **CVE-2025-22225**, a high-severity VMware ESXi *VMX sandbox escape* flaw, is now **known to be used in ransomware campaigns**. Broadcom patched the issue in March 2025 as part of advisory `VMSA-2025-0004`, describing CVE-2025-22225 as an **arbitrary kernel write** reachable by an attacker with privileges in the `VMX` process, enabling escape from the VMX sandbox to the ESXi kernel. The same advisory also addressed two other zero-days—**CVE-2025-22224** (TOCTOU leading to out-of-bounds write/code execution as the VMX process) and **CVE-2025-22226** (HGFS out-of-bounds read/memory disclosure)—which Broadcom previously tagged as actively exploited in the wild. Reporting also tied the ESXi exploitation to earlier sophisticated activity: Huntress described Chinese-speaking threat actors leveraging access via a compromised SonicWall VPN to deliver tooling targeting VMware ESXi and chaining a VM escape technique that appeared to predate public disclosure of the March 2025 ESXi zero-days. Separately, GreyNoise research highlighted a broader KEV-catalog visibility gap, finding that CISA **quietly “flipped”** dozens of KEV entries during 2025 from “Unknown” to “Known” for ransomware use without prominent public notification—an approach that can materially affect enterprise prioritization when a vulnerability’s status changes to confirmed ransomware exploitation.
Mar 21, 2026
ESXiArgs Ransomware Exploited Unpatched VMware ESXi Servers Worldwide
A large-scale **ESXiArgs** ransomware campaign hit internet-exposed VMware ESXi servers by exploiting a long-known vulnerability in the OpenSLP service, with incident responders and national authorities warning that many affected systems had not applied available patches. CERT-FR issued an alert on active exploitation affecting VMware ESXi, while broad reporting described widespread compromises across organizations globally as attackers encrypted virtual machine files and dropped ransom notes on hypervisors. VMware said the attacks did **not** stem from a newly discovered zero-day, but from exploitation of older, already patched weaknesses and insecurely exposed services on unsupported or unpatched ESXi versions. The incident renewed scrutiny of VMware security after earlier warnings that threat actors, including state-backed operators, had abused VMware flaws such as `CVE-2020-4006` for initial access, persistence, and privileged movement inside enterprise environments, underscoring the risk posed by internet-facing virtualization infrastructure that lags on patching and hardening.
May 25, 2026