GoKawiilA new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption.
Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers.
"The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces," explains Rapid7.
"The Windows variant, written in Rust, includes a self-described "experimental" feature for targeting Hyper-V."
Both variants share the same campaign ID and Tor-based ransom infrastructure, so they were deployed by the same ransomware affiliate, who likely sought to maximize impact by encrypting all servers simultaneously.
BleepingComputer has found only one listed victim on the Kyber data extortion portal at the time of writing, which is a multi-billion-dollar American defense contractor and IT services provider.
Kyber ransomware victim extortion portal
Source: BleepingComputer.com
Rapid7 says the ESXi variant enumerates all virtual machines (VMs) on the infrastructure, encrypts datastore files, and then defaces the ESXi interfaces with ransom notes to guide victims through the ransom payment and recovery process.
Although it advertises 'post-quantum' encryption based on Kyber1024 key encapsulation, Rapid7 has found that these claims are false for the Linux ESXi encryptor.
... continue reading