SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.payload (Back to overview)

Payload

According to 0x3oBAD, this is a 64-bit Linux ELF ransomware binary targeting VMware ESXi hypervisor environments. The sample combines a robust cryptographic scheme Curve25519 ECDHand ChaCha20 with ESXi-specific VM enumeration via the vmInventory.xml inventory file, graceful shutdown of running VMs before encryption, and a multi-threaded file encryption pipeline scaled to available CPU cores. The ransom note is delivered inside ESXi’s own web UI welcome.txt, replacing the host management interface greeting.

References
2026-04-050x3oBADAbdullah Islam
Deep Technical Analysis Of Payload Ransomware Targeting ESXi Environment
Payload

There is no Yara-Signature yet.