{ "name": "Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained", "slug": "kyber-ransomware-double-trouble-windows-and-esxi-attacks-explained", "description": "Kyber ransomware represents a significant threat through dual-platform deployment capabilities targeting VMware ESXi virtualization infrastructure and Windows file systems. During a March 2026 incident response engagement, two Kyber payloads were recovered from the same environment. The ESXi variant, written in C++, specifically targets VMware environments with datastore encryption, VM termination, and management interface defacement capabilities. The Windows variant, written in Rust, includes experimental Hyper-V targeting features. Both samples share campaign identifiers and Tor-based infrastructure, confirming coordinated cross-platform operations. Despite advertising post-quantum Kyber1024 encryption, the ESXi variant actually uses ChaCha8 with RSA-4096 key wrapping, while the Windows variant implements the claimed AES-256-CTR with Kyber1024 hybrid scheme. The ransomware includes anti-recovery measures, service termination, and effective encryption strategies designed to cause complete operational disr...", "published": "2026-04-22T10:39:42+00:00", "created_at": "2026-04-22T10:39:42+00:00", "modified_at": "2026-04-22T13:32:12+00:00", "created_at_opencti": "2026-04-22T10:39:42+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-04-22", "chacha8", "cross-platform", "esxi", "hyper-v", "kyber", "rust", "virtualization", "vmware" ], "related_entities": { "observables": [ { "id": "", "name": "45bff0df2c408b3f589aed984cc331b617021ecbea57171dac719b5f545f5e8d" }, { "id": "", "name": "4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29" }, { "id": "", "name": "6ccacb7567b6c0bd2ca8e68ff59d5ef21e8f47fc1af70d4d88a421f1fc5280fc" } ], "malware": [ { "id": "legacy:malware:40127682f60733e4", "name": "Kyber", "slug": "kyber" } ], "intrusion_sets": [ { "id": "9107bdcd-c0ef-4f9b-9dff-c1f5a7b7407f", "name": "Kyber", "slug": "kyber" } ], "attack_patterns": [ { "id": "f65930b0-5581-4f3d-a367-a86ac78f407b", "name": "T1021.004" }, { "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067", "name": "T1047" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "d9f271ed-7685-4362-b90d-f16a14102f39", "name": "T1489" }, { "id": "39c253d6-7ca2-4312-9b24-c2a9660e70f7", "name": "T1222.001" }, { "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f", "name": "T1490" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "7f00bfa7-4116-4294-a80f-724681b7ce85", "name": "T1202" }, { "id": "c1e3fabe-9e8b-4e8f-a1f8-bf23e234e770", "name": "T1485" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "b15c00da-c412-4429-900c-659de612baf5", "name": "T1543.003" }, { "id": "da44e22e-1925-42e4-b30d-ac38860d39bb", "name": "T1070.001" }, { "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3", "name": "T1569.002" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/69e8c18ece091934fe2136f5", "https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/" ] }