Kuiper
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We identified 14 distinct RaaS programs: ... KUIPER (Sep 2023) ... “RobinHood” stands out as a dual-role threat actor: selling corporate access ... while simultaneously operating the KUIPER RaaS program targeting Windows, Linux, ESXi, NAS, MacOS, and FreeBSD.
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueRobinHood stands out as a dual-role threat actor... operating the KUIPER RaaS program targeting Windows, Linux, ESXi, NAS, MacOS, and FreeBSD.
Lateral Movement
2 techniquesThe most common access type was RDP (Remote Desktop Protocol), appearing in 59 listings... By late 2023, VPN access listings had grown significantly, reflecting a shift in attack methodology.
SSH access, virtually absent in 2022, appeared in nine listings during Q2-Q3 2023 — mostly from sellers “xss_0x2” (12 SSH listings total) and “dayone31337_blardo” (4 SSH listings for Chinese and Korean targets).
Impact
1 techniqueRAMP hosted 60 threads in its dedicated RaaS section, where ransomware operators recruit affiliates... We identified 14 distinct RaaS programs: AvosLocker, Conti, Luna, BEAST, Nevada, CryptNet, Knight 3.0, NoEscape, Bl00dy, KUIPER, UBUD, PHOBOS, Zeppelin2, Wing 1.0.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware-as-a-service program advertised on RAMP, described as targeting Windows, Linux, ESXi, NAS, MacOS, and FreeBSD systems.
Ransomware/ESXi encryptor referenced as being supported or sold by ransomware actors targeting ESXi hypervisors for mass encryption.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.