A New Threat Actor Emerges With Dual-Platform Capabilities
A previously unknown ransomware group operating under the name Kyber has been observed attacking Windows file servers and VMware ESXi infrastructure in coordinated campaigns. The group's toolset is notable for incorporating Kyber1024 post-quantum key encapsulation in at least one of its encryptors — a relatively rare feature among ransomware operations to date.
Cybersecurity firm Rapid7 recovered and analyzed two distinct Kyber variants in March 2026 while responding to a customer incident. Both encryptors were deployed against the same target network: one was tailored for VMware ESXi infrastructure, while the other focused exclusively on Windows file servers.
Two Variants, One Campaign
Despite their different targets, both variants shared the same campaign identifier and communicated with the same Tor-based ransom payment infrastructure, indicating they were deployed by a single ransomware affiliate. The simultaneous targeting of ESXi hosts and Windows servers appears designed to maximize encryption coverage and pressure victims into paying quickly.
As Rapid7 described it, "The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces." Meanwhile, "the Windows variant, written in Rust, includes a self-described 'experimental' feature for targeting Hyper-V."
At the time of writing, BleepingComputer identified only one listed victim on the Kyber data extortion portal: a multi-billion-dollar American defense contractor and IT services provider.
The ESXi Variant: Post-Quantum Claims That Don't Hold Up
The ESXi encryptor enumerates all virtual machines on the compromised infrastructure, encrypts datastore files, and then defaces ESXi management interfaces with ransom notes to guide victims through payment and recovery steps. The group advertises post-quantum encryption powered by Kyber1024 key encapsulation, but Rapid7's analysis found these claims to be false for the Linux-based ESXi encryptor.
In reality, the ESXi variant uses ChaCha8 for file-level encryption and RSA-4096 for key wrapping — neither of which is post-quantum resistant. The encryption behavior varies by file size:
- Files smaller than 1 MB are encrypted in their entirety and appended with the .xhsyw extension.
- Files between 1 MB and 4 MB have only their first megabyte encrypted.
- Files larger than 4 MB are intermittently encrypted based on the operator's configuration.
The Windows Variant: Where Post-Quantum Encryption Actually Appears
Unlike its ESXi counterpart, the Windows variant — written in Rust — does genuinely implement post-quantum cryptography. Rapid7 confirmed that it uses Kyber1024 combined with X25519 for key protection, which aligns with what the ransom note actually claims.
However, an important technical distinction applies here. As Rapid7 clarified, "This confirms that Kyber is not used for direct file encryption. Instead, Kyber1024 protects the symmetric key material, while AES-CTR handles bulk data encryption." In other words, the post-quantum component wraps the encryption keys rather than encrypting files directly.
From a victim's perspective, this distinction changes nothing. Whether the key wrapping mechanism relies on RSA or Kyber1024, files remain completely unrecoverable without access to the attacker's private key.
Aggressive Recovery Obstruction on Windows
The Windows variant appends the .#~~~ extension to encrypted files and is engineered to eliminate as many data recovery paths as possible. Its destructive capabilities include:
- Terminating running services and killing SQL, Exchange, and backup-related processes
- Deleting Volume Shadow Copies and disabling boot repair
- Clearing Windows Event Logs
- Wiping the Windows Recycle Bin
- An experimental feature designed to shut down Hyper-V virtual machines
Rapid7 also noted an unusual behavioral quirk: the Windows variant uses a mutex that appears to reference a song available on the Boomplay music platform. The significance of this reference is unclear, but it may reflect the operator's personal preferences or serve as an unconventional identifier.
Maturity Gap Between the Two Variants
Overall, Rapid7's analysis suggests the Windows variant is more technically mature than its ESXi counterpart. The ESXi version currently lacks several capabilities present in the Windows build, including the genuine implementation of post-quantum key protection. This may indicate the ESXi encryptor is still under active development, with post-quantum features potentially being staged for a future update.
What This Means for Defenders
The Kyber group's experimentation with post-quantum cryptography — even if only partially implemented — signals a broader trend of ransomware operators beginning to explore cryptographic upgrades. While the practical impact on victims today is no different from that of traditional ransomware, organizations should monitor how quickly this experimentation matures into fully deployed post-quantum encryption across all components.
For now, defenders facing this threat should prioritize protecting VMware ESXi management interfaces, hardening Windows backup infrastructure, and monitoring for the .xhsyw and .#~~~ file extensions as indicators of compromise.
Source: BleepingComputer