{ "Event": { "analysis": "1", "date": "2026-04-21", "extends_uuid": "", "info": "[Threat Intel] Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained", "protected": false, "publish_timestamp": "1779544380", "published": true, "threat_level_id": "2", "timestamp": "1779544379", "uuid": "d2fe5bb3-1436-4e42-a595-cf13e3e94bb9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#60a098", "local": false, "name": "misp-galaxy:producer=\"Rapid7\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#f8140a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#aad818", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"", "relationship_type": "" }, { "colour": "#d528b5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows File and Directory Permissions Modification - T1222.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indirect Command Execution - T1202\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#a05856", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "relationship_type": "" }, { "colour": "#fae37b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"kyber\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776913214", "to_ids": false, "type": "link", "uuid": "053c11ad-1a8c-4eec-ab61-99877ea7e718", "value": "https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776913214", "to_ids": false, "type": "text", "uuid": "1abe0f34-d134-400f-96dd-54601c42d9a9", "value": "Kyber ransomware represents a significant threat through dual-platform deployment capabilities targeting VMware ESXi virtualization infrastructure and Windows file systems. During a March 2026 incident response engagement, two Kyber payloads were recovered from the same environment. The ESXi variant, written in C++, specifically targets VMware environments with datastore encryption, VM termination, and management interface defacement capabilities. The Windows variant, written in Rust, includes experimental Hyper-V targeting features. Both samples share campaign identifiers and Tor-based infrastructure, confirming coordinated cross-platform operations. Despite advertising post-quantum Kyber1024 encryption, the ESXi variant actually uses ChaCha8 with RSA-4096 key wrapping, while the Windows variant implements the claimed AES-256-CTR with Kyber1024 hybrid scheme. The ransomware includes anti-recovery measures, service termination, and effective encryption strategies designed to cause complete operational disr..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776913214", "to_ids": false, "type": "text", "uuid": "ed464d67-037b-47b1-8c8d-2cb164bdfe7c", "value": "Name: Kyber Ransomware Double Troubl%WINDIR%\\and ESXi Attacks Explained\nAuthor: AlienVault\nAdversary: Kyber\nTags: [\"rust\", \"virtualization\", \"chacha8\", \"hyper-v\", \"vmware\", \"esxi\", \"cross-platform\", \"kyber\"]\nTgtd countries: []\nMlwr families: [\"Kyber\"]\nAttack_ids: [\"T1047\", \"T1489\", \"T1543.003\", \"T1021.004\", \"T1222.001\", \"T1082\", \"T1106\", \"T1202\", \"T1112\", \"T1070.001\", \"T1083\", \"T1497\", \"T1059.001\", \"T1562.001\", \"T1027\", \"T1486\", \"T1485\", \"T1569.002\", \"T1490\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776913214", "to_ids": false, "type": "threat-actor", "uuid": "c9919697-7aa4-4a38-89f0-a5758f0f5171", "value": "Kyber" }, { "category": "Payload delivery", "comment": "Windows Rust Binary No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544378", "to_ids": true, "type": "sha256", "uuid": "b12abfd5-c6d1-4df7-b4d8-e37b1f6eb3b7", "value": "45bff0df2c408b3f589aed984cc331b617021ecbea57171dac719b5f545f5e8d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Linux/ESXi ELF Binary No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544379", "to_ids": true, "type": "sha256", "uuid": "10df1b26-dcd0-4378-88a1-8f67929ef18a", "value": "6ccacb7567b6c0bd2ca8e68ff59d5ef21e8f47fc1af70d4d88a421f1fc5280fc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544376", "uuid": "a7017454-f5ea-4d0d-baf8-6406f31a1327", "Attribute": [ { "category": "Payload delivery", "comment": "Old Windows Variant", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544375", "to_ids": true, "type": "md5", "uuid": "aee922dc-90c4-4850-a6b8-3302b7037c67", "value": "18498b1ff111ee9d9a037c280f75b720", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Old Windows Variant", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544375", "to_ids": true, "type": "sha1", "uuid": "75a35bb9-2e83-4151-9bff-bd13477b6dd7", "value": "0e9a47782e39741a2c161bf639252d33ad3a428a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Old Windows Variant", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544376", "to_ids": true, "type": "sha256", "uuid": "abc9dc40-87b8-467c-a50a-1688151c7e74", "value": "4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213375", "to_ids": true, "type": "ssdeep", "uuid": "70695ae7-b1f0-46c1-9e54-4c01cbf0d2bf", "value": "24576:jZgTpNZ+WIp82mx6gq+Jn5tNj32+t40VzQJSGR8cknOuP3S+hpDTFMs2UWz7vs75:WbnbdG+t40VzMSGR8zdpDTKs2N7YJlF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213375", "to_ids": false, "type": "size-in-bytes", "uuid": "da121c31-0e0d-4d41-9275-6da11e615f34", "value": "1907200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213375", "to_ids": true, "type": "vhash", "uuid": "abb513ef-0b48-403c-ada0-821033f414da", "value": "016056655d15655218z643z63z3013z22z13fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213375", "to_ids": true, "type": "filename", "uuid": "3e8fb861-f6c5-46de-b744-bd71ca7fa4b2", "value": "4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29.exe.exe" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 25/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213375", "to_ids": false, "type": "text", "uuid": "83fcc8a6-e053-4af5-994e-7589ae933230", "value": "Old Windows Variant\r\nType Description: Win32 EXE\nMicrosoft: Ransom:Win64/Kyber.A\nVT Total Detection:47/71\nFirst Submission:2025-10-16T08:45:33.000000+00:00\nLast Submission:2025-10-19T14:26:08.000000+00:00" } ] } ] } }