kyber
Kyber is a relatively new cross-platform ransomware group/family that surfaced in September 2025 and has gained visibility through incidents involving coordinated deployment against Windows and VMware ESXi environments. Reporting cited here describes Kyber ransomware operations targeting Windows file servers and VMware ESXi infrastructure in the same victim environment, indicating cross-environment targeting intended to disrupt both core file systems and virtualization infrastructure. The group uses distinct encryptors for different platforms: a Rust-based Windows variant and a C++ Linux/ESXi variant. The ESXi variant targets VMware datastores, can optionally enumerate and gracefully terminate running virtual machines, recursively encrypt datastore contents, drop ransom notes, and deface SSH and VMware web management interfaces. The Windows variant includes anti-recovery and operational disruption features when run with elevated privileges, including terminating backup-, VSS-, Exchange-, Veeam-, SQL-, and IIS-related services, deleting shadow copies, disabling recovery settings, clearing event logs, and emptying the recycle bin. Rapid7 also observed an experimental Hyper-V shutdown capability in the Windows variant. Kyber uses shared campaign identifiers and Tor-based negotiation and leak infrastructure across variants, supporting the assessment that deployments are coordinated across platforms. The operation has been specifically noted for claimed or selective use of Kyber1024 post-quantum cryptography. However, Rapid7 found that the ESXi ransom note falsely claimed Kyber1024/X25519/AES-256-CTR usage, while the analyzed ESXi sample actually used ChaCha8 with RSA-4096 key wrapping and showed no evidence of post-quantum cryptography. In contrast, the analyzed Windows variant appeared to implement the advertised AES-256-CTR, Kyber1024, and X25519 hybrid scheme. Based on the provided content, Kyber is described as a ransomware operation/group rather than a nation-state actor. No additional aliases or sub-groups beyond "kyber" are provided in the source material.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware operation experimenting with post-quantum cryptography and coordinated attacks across Windows and VMware ESXi environments.
A relatively new ransomware operation targeting Windows and VMware ESXi infrastructures, with specialized encryptors for each environment and destructive capabilities focused on virtualization platforms.
Cross-platform ransomware operations targeting Linux/ESXi and Windows environments, with coordinated deployment against virtualization infrastructure and file servers. The group uses dual-platform payloads, Tor-based ransom infrastructure, VM shutdown capabilities, and anti-recovery actions to maximize operational disruption.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.