Kyber: A Threat Profile

Aliases

No other known aliases at this time.

Related Historical Identifiers

Kyber1024 — post-quantum cryptographic algorithm name adopted as group branding

Get Threat Intel and Security Updates Delivered to Your Inbox.

Profiling

Threat Actor Type:

Kyber is a financially motivated ransomware and data extortion group rapidly evolving from a conventional encryptor into a structured, data-driven extortion operation, reflecting increasing technical sophistication and operational maturity. The group deploys cross-platform ransomware targeting Linux/ESXi and Windows environments, with coordinated dual-payload campaigns confirmed in enterprise incident response engagements.

Communications & Infrastructure:

Operates Tor-based ransom infrastructure, including a negotiation portal and a public leak site.
Victims are directed to download Tor Browser and access a unique anonymous chat link to initiate communication and negotiate ransom payment.
The ransom note discourages victims from contacting law enforcement, claiming it would prevent payment and not stop data publication.
No confirmed RaaS affiliate model identified at time of writing; operations appear operator-controlled.

Kyber ransom note.

Expertise:

Cross-platform payloads: Windows (Rust) and Linux/ESXi (C++)
ESXi variant includes datastore encryption, optional virtual machine termination, and defacement of management interfaces; Windows variant includes an experimental Hyper-V targeting feature
Hybrid encryption using AES-256-CTR with X25519 and Kyber1024, with explicit claims of mass data exfiltration prior to encryption
Background execution via process detachment, allowing operators to safely disconnect while encryption of datastores continues uninterrupted
Anti-recovery: the Windows variant executes 11 anti-recovery commands requiring elevation

Motivations

Double extortion — combining file encryption with data theft and leak threats — using coercive communication tactics and leak-based intimidation to maximize victim compliance. To prove decryption capability and build trust, the group offers free decryption for three small files and provides samples of stolen data upon request.

No confirmed ransom payment amounts are publicly disclosed at this time. Kyber is assessed as an emerging high-tier actor with demand amounts not yet documented in open sources.

Timeline & Victimology

October 2025 — Emergence

Kyber was identified as a new ransomware group in the third week of October 2025, alongside several other newly emerged threat actors. Early analysis assessed Kyber as rapidly evolving toward double- and triple-extortion models, with Tor-based anonymous infrastructure and professionalized negotiation workflows already in place.

October–March 2026 — Capability Development

Kyber developed cross-platform payloads targeting both Linux/ESXi and Windows environments, sharing campaign identifiers and Tor infrastructure across both variants — confirming coordinated, multi-platform operations.

March–April 2026 — Confirmed Enterprise Intrusions

During a March 2026 incident response engagement, two Kyber ransomware payloads were deployed in the same enterprise environment — one targeting VMware ESXi infrastructure and the other Windows file servers. Kyber’s experimentation with post-quantum encryption (Kyber1024) and multi-platform ESXi targeting have been flagged by threat intelligence trackers as a notable technical trend.

Tactics & Techniques

Initial Access

Exploit Public-Facing Application — T1190 (vCenter and internet-exposed services)
Valid Accounts — T1078

Execution

Command and Scripting Interpreter — T1059
Windows Management Instrumentation — T1047

Persistence

Persistence mechanisms including autostart entries and system setting modifications to maintain a foothold — T1547

Defense Evasion

Process Injection / Fork+Execlp to bypass shell — T1055
Background detachment via setsid() to survive SSH session termination

Discovery

File and Directory Discovery — T1083
Virtualization/Sandbox Evasion (ESXi environment checks) — T1497

Lateral Movement

Remote Services — T1021

Collection & Exfiltration

Claims of mass data exfiltration from victim networks prior to encryption, with stolen data held as leverage — T1119, T1567

Impact

Data Encrypted for Impact — T1486
ESXi variant enumerates and terminates virtual machines prior to encrypting datastores under /vmfs/volumes
Inhibit System Recovery (Windows anti-recovery commands) — T1490

Defensive Recommendations Against Kyber

Restrict vCenter and ESXi management interfaces from public internet access; patch internet-facing services promptly, especially vCenter
Monitor for anomalous esxcli usage, snapshot deletion, datastore encryption activity, and unusual VM termination sequences
Maintain offline backup copies stored on physically disconnected media and test restoration procedures regularly
Prioritize pre-encryption detection: focus on data exfiltration signals, privilege escalation, and lateral movement rather than waiting for ransomware deployment
Implement network segmentation to limit lateral movement from compromised internet-facing hosts to hypervisor infrastructure
Deploy behavioral anomaly-based detection technologies capable of identifying ransomware attacks in early stages