{ "Event": { "analysis": "1", "date": "2026-04-26", "extends_uuid": "", "info": "[Threat Intel] Kyber ransomware is not just post-quantum name-dropping", "protected": false, "publish_timestamp": "1779545742", "published": true, "threat_level_id": "2", "timestamp": "1779545742", "uuid": "2331d60f-15c6-4f79-bb39-f15f8a940ebb", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Permissions Modification - T1222\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#16ca73", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Location Discovery - T1614\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"kyber\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460412", "to_ids": false, "type": "link", "uuid": "0c23aa60-fa72-4860-9a66-d410dc3089f8", "value": "https://www.derp.ca/research/kyber-ransomware-hybrid-crypto/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777460412", "to_ids": false, "type": "text", "uuid": "a285bfc3-d343-4ad1-92b3-2e7cfd68f424", "value": "A detailed technical analysis confirms that Kyber ransomware implements genuine hybrid post-quantum cryptography rather than mere branding. The Rust-based Windows variant encrypts files using AES-256-CTR with Kyber1024 and X25519 for key protection, appending a fixed 0x744-byte trailer containing encrypted metadata. Instrumented analysis validated the cryptographic implementation through fixture decryption but found no practical recovery path from the sample alone. The encryptor targets multiple file types, deploys standard recovery-inhibition techniques, and marks encrypted files with a .#~~~ extension. A separate ESXi variant was found to use different cryptography despite similar branding. As of April 2026, one victim was publicly listed: a large American defense contractor and IT services provider." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777460412", "to_ids": false, "type": "text", "uuid": "5c0fa399-e306-4351-8a74-03a430430b9a", "value": "Name: Kyber ransomware is not just post-quantum name-dropping\nAuthor: AlienVault\nAdversary: \nTags: [\"post-quantum cryptography\", \"x25519\", \"aes-ctr encryption\", \"rust ransomware\", \"hybrid encryption\", \"file encryption\", \"kyber\", \"kyber1024\"]\nTgtd countries: [\"United States of America\"]\nMlwr families: [\"Kyber\"]\nAttack_ids: [\"T1489\", \"T1135\", \"T1082\", \"T1112\", \"T1070.001\", \"T1222\", \"T1083\", \"T1497\", \"T1059.001\", \"T1547.001\", \"T1027\", \"T1486\", \"T1614\", \"T1059.003\", \"T1490\"]\nIndustries: [\"Defense\", \"Technology\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688333", "to_ids": true, "type": "domain", "uuid": "8f9d5265-e568-441c-a503-b5e246aebac1", "value": "kyblogtz6k3jtxnjjvluee5ec4g3zcnvyvbgsnq5thumphmqidkt7xid.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545734", "to_ids": true, "type": "md5", "uuid": "2052b839-bd22-4fb2-9b88-30e0120e6378", "value": "df2dba375800d76695d5ca37e5c72a50", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545736", "to_ids": true, "type": "md5", "uuid": "50d0a819-25b9-4923-9d56-33116f4abf1d", "value": "f9e1d038b1f5220e888b56e97881937f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545738", "to_ids": true, "type": "sha256", "uuid": "45c85bce-af41-4f76-939f-eb01bf6de166", "value": "1b66614d63ce9f1b0b9f68464a93d826a3af7e08ccadcbc662f8444f0eaab6b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545740", "to_ids": true, "type": "sha256", "uuid": "79b148fa-3e96-4637-a242-d42f5720f3b1", "value": "5a5f2bfea416f4b9ed4e6e45d82df524c1d9fa5f99c08944f2bacdf5bf9f525d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545742", "to_ids": true, "type": "sha256", "uuid": "7166e383-286d-46c7-86d3-de47d561f479", "value": "fcca04669f1a9c79786e29914563c772584fba1aebc58ce1fd17c8e11a1266ea", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688354", "to_ids": true, "type": "url", "uuid": "4921f995-df3d-4b83-baf8-77bbc278549d", "value": "http://mlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd.onion/chat/f9e1d038b1f5220e888b56e97881937f", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688375", "to_ids": true, "type": "domain", "uuid": "cd2b4e73-e644-4828-a471-885f9f083eb6", "value": "mlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545730", "uuid": "bf8e5203-fd24-4bd0-a4f1-296dc99fc308", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545729", "to_ids": true, "type": "md5", "uuid": "1e7c37c9-bffb-4199-ae8a-dacd4ecc2091", "value": "18498b1ff111ee9d9a037c280f75b720", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545730", "to_ids": true, "type": "sha1", "uuid": "7b62bf95-751a-4863-aa9f-314d4c137185", "value": "0e9a47782e39741a2c161bf639252d33ad3a428a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545730", "to_ids": true, "type": "sha256", "uuid": "8e89b3ac-8335-41e3-a1b1-e7396aa88d30", "value": "4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687006", "to_ids": true, "type": "ssdeep", "uuid": "26d94359-3966-4680-9d13-aef5468cdab6", "value": "24576:jZgTpNZ+WIp82mx6gq+Jn5tNj32+t40VzQJSGR8cknOuP3S+hpDTFMs2UWz7vs75:WbnbdG+t40VzMSGR8zdpDTKs2N7YJlF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687006", "to_ids": false, "type": "size-in-bytes", "uuid": "b19c3926-3813-4382-8504-6e6ae46949de", "value": "1907200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687006", "to_ids": true, "type": "vhash", "uuid": "de27caa5-5a81-4648-9e77-25e58aeac5c7", "value": "016056655d15655218z643z63z3013z22z13fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687006", "to_ids": true, "type": "filename", "uuid": "c03d4556-082d-4547-b2ef-8aa5fd84a336", "value": "4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29.exe.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687006", "to_ids": false, "type": "text", "uuid": "2ba37ab1-ede3-4956-94a0-38129aa84e6b", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win64/Kyber.A\nVT Total Detection:48/71\nFirst Submission:2025-10-16T08:45:33.000000+00:00\nLast Submission:2025-10-19T14:26:08.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545733", "uuid": "452ba3e8-00b8-4f31-81da-a3a5cf20fbdc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545732", "to_ids": true, "type": "md5", "uuid": "f2f43848-230c-423a-9a44-c6396acd1ad1", "value": "330de24dfbccc9ab177c45a11880811d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545732", "to_ids": true, "type": "sha1", "uuid": "2637ea78-17bc-4b82-a7d9-a676f1910285", "value": "74832a5a360d3575dce6534dc8785dc392e7654b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545733", "to_ids": true, "type": "sha256", "uuid": "0fdea12f-19fc-4568-ab72-835fb2e2bf31", "value": "ef054d22823758290db94aab3c901471a9ebd633f94963030806cc68dd433d8d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687112", "to_ids": true, "type": "ssdeep", "uuid": "6553a177-16a7-4e22-88d2-6d71f4a24718", "value": "48:Dye72k2L2he2E292B4qmKbDl53LzmLtGjTfNt/m0PXcggKXvFgR3G0qcoMdL0a:xLWJngrgnrHmLtI7T/m0Eg/uZphXdYa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687112", "to_ids": false, "type": "size-in-bytes", "uuid": "2fe4421d-7b40-4a98-9e0f-6b33c870f25c", "value": "3646" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687112", "to_ids": true, "type": "filename", "uuid": "379f8721-5614-4dcc-ad6e-3acc2dbd5107", "value": "read_me_now.txt" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687112", "to_ids": false, "type": "text", "uuid": "69578f45-86aa-43c7-bbe9-55a68bd657ec", "value": "Type Description: Text\nMicrosoft: Trojan:Script/Wacatac.C!ml\nVT Total Detection:6/61\nFirst Submission:2025-10-16T08:51:17.000000+00:00\nLast Submission:2025-10-16T08:51:17.000000+00:00" } ] } ] } }