"The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces," explains Rapid7.
Two Kyber variants found on the same network in March 2026
Rapid7 retrieved and analyzed two distinct Kyber ransomware variants in March 2026 during an incident response. Both were deployed on the same network, carried the same campaign ID, and used the same Tor-based ransom infrastructure, indicating a single affiliate executed a coordinated effort to hit VMware ESXi hosts and Windows file servers at once. BleepingComputer reported one listed victim on the Kyber data extortion portal: a multi-billion-dollar American defense contractor and IT services provider.
What the ESXi variant actually does — and what it does not
Rapid7's analysis shows the ESXi variant is engineered for VMware environments: it enumerates all virtual machines, encrypts datastore files, can optionally terminate virtual machines, and defaces ESXi management interfaces to guide victims through ransom payment and recovery. Although the encryptor advertises "post-quantum" Kyber1024-based encryption, Rapid7 found that claim false for the Linux ESXi encryptor.
Instead of Kyber, the Linux ESXi variant uses ChaCha8 for file encryption and RSA-4096 for key wrapping. File-treatment rules are explicit: small files under 1 MB are encrypted in full and appended with the ".xhsyw" extension; files between 1 MB and 4 MB have only the first megabyte encrypted; files larger than 4 MB are encrypted intermittently according to the operator's configuration.
Windows variant implements Kyber1024 for key protection, Rust codebase, and destructive recovery measures
The Windows variant, written in Rust, does implement Kyber1024 and X25519 — but not to encrypt bulk data directly. Rapid7 explains that Kyber1024 protects symmetric key material while AES-CTR performs bulk data encryption. The Windows encryptor appends ".#~~~" to encrypted files and is built to remove recovery paths: it terminates services, deletes backups, clears event logs, wipes the Windows Recycle Bin, disables boot repair, deletes shadow copies, and kills SQL, Exchange, and backup services. The Windows build also includes an experimental capability to shut down Hyper-V virtual machines.
Rapid7 characterized the Windows variant as more technically mature than the ESXi variant, and noted an unusual choice of a mutex in the Windows code that appears to reference a song on the Boomplay music platform.
Shared infrastructure and operational intent
Both samples shared the same campaign ID and Tor-based ransom infrastructure, which Rapid7 and reporting interpret as evidence that a single affiliate sought to maximize impact by encrypting ESXi datastores and Windows file servers simultaneously. Rapid7's explicit observation — that Kyber is used for key protection rather than file encryption — is central: whether the encryptor uses RSA-4096 or Kyber1024, files remain unrecoverable without access to the attacker's private key.
What this means for technologists, procurement leaders, and adversaries
- Technologists and security teams: Expect mixed toolchains in modern ransomware samples — one build may advertise post-quantum primitives while another on the same network uses conventional RSA and symmetric ciphers. Rapid7's findings illustrate that encrypted key material, not choice of asymmetric primitive, determines recovery prospects.
- Procurement and enterprise IT leaders: The presence of coordinated ESXi and Windows variants on the same network underscores the need to protect virtualization management interfaces and to verify backup integrity beyond simple presence — attackers are explicitly targeting datastore files, backups, and shadow copies.
- Adversaries and affiliates: The campaign demonstrates an operational preference for combining specialized tooling (an ESXi-focused encryptor) with a more feature-rich Windows encryptor to broaden impact and complicate recovery.
Rapid7's analysis leaves a clear operational fact on the table: the appearance of post-quantum cryptography in a ransomware sample is notable, but not determinative. In these incidents, Kyber1024 functions as a key-wrapping primitive in the Windows build while the ESXi Linux encryptor continues to rely on ChaCha8 and RSA-4096. From the victim's perspective, the cryptographic label attached to the sample changes the technical vocabulary of the incident report but not the central reality — encrypted data cannot be recovered without the attacker's private keys.
