RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: rapid7 (2 articles)Clear
threat
2026-05-06

Iranian hackers used Microsoft Teams chat to social-engineer victims, then dressed up their espionage as a Chaos ransomware attack to throw off blame

Rapid7 disclosed an Iranian state-sponsored intrusion that disguised itself as a Chaos ransomware attack to mask the real goal: cyber-espionage. The threat actor (assessed with moderate confidence as MuddyWater, linked to Iran's Ministry of Intelligence and Security) initiated chat requests through Microsoft Teams, walked employees into screen-sharing sessions, then captured credentials and manipulated MFA prompts. Some victims were asked to type their passwords into local text files during the call. Persistence came from a custom backdoor (Game.exe) deployed alongside DWAgent, AnyDesk, and RDP. The fake ransomware note and Chaos leak-portal entry concealed the espionage.

muddywatermango-sandstormseedwormstatic-kitteniran-moischaos-ransomwarefalse-flagmicrosoft-teamsscreen-sharingmfa-bypassrapid7game-exestagecompdarkcompapt
Check
Search Microsoft Teams logs for external chat invitations from unknown Entra tenants since January. Hunt endpoints for DWAgent, AnyDesk, ms_upd.exe, or Game.exe processes installed without IT approval.
Affected
Organizations allowing external Microsoft Teams chats by default - the campaign starts with chat invitations from attacker-controlled tenants. Acute risk for sectors MuddyWater historically targets: government, defense, telecoms, energy, and Israeli organizations. The 'IT Support' impersonation pattern works against any helpdesk-heavy enterprise. Iranian APT activity has been increasing through early 2026.
Fix
Restrict external Microsoft Teams chat to allowlisted partner tenants only. Block external screen-sharing requests by default. Brief staff that real IT support never asks them to type passwords into local files or read out MFA codes during a Teams call. Block Rapid7's published Stagecomp/Darkcomp code-signing certificate at the EDR layer.
threat
2026-04-22

Kyber ransomware experiments with post-quantum encryption across Windows and VMware ESXi

A new ransomware family called Kyber has been deployed in attacks combining a Rust-based Windows encryptor with a Linux ESXi variant on the same victim network, and its Windows build is one of the first in the wild to advertise post-quantum cryptography. Rapid7 analysed both variants during a March 2026 incident response and found the Windows build genuinely uses Kyber1024 (a NIST-selected post-quantum key-encapsulation algorithm) plus X25519 to wrap the AES-CTR keys that actually encrypt files, matching its ransom-note claims. The Linux ESXi variant makes the same post-quantum marketing claim but actually uses ChaCha8 with RSA-4096 - pure marketing theatre rather than real crypto defense. For victims the distinction does not matter: without the attacker's private key the files are unrecoverable regardless of algorithm. Windows-encrypted files get a '.#~~~' extension; Linux gets '.xhsyw'. The ESXi variant enumerates all VMs, encrypts datastore files, defaces management interfaces, adds crontab persistence, and terminates VMs. The Windows variant deletes shadow copies, disables boot repair, kills SQL/Exchange/backup services, clears event logs, wipes the Recycle Bin, and ships with an experimental Hyper-V shutdown feature. Only one victim appears on the Kyber leak site so far (a multi-billion-dollar American defence contractor and IT services provider), meaning most current victims are still in the extortion window and not publicly known.

kyber-ransomwarepost-quantumesxihyper-vrustransomwarerapid7double-extortion
Check
Hunt your Windows estate for files with a '.#~~~' extension, your ESXi hosts for files with a '.xhsyw' extension, and any Hyper-V and ESXi management surface for unexpected crontab entries or defaced login banners.
Affected
Any environment exposing Windows domain controllers or file servers alongside VMware ESXi infrastructure. ESXi variant targets datastore files, VM enumeration, and management interface defacement; Windows variant specifically targets Hyper-V in experimental mode. Organizations relying on shadow-copy-based recovery, SQL/Exchange snapshots, or on-disk backup services without immutable storage.
Fix
Enforce offline, immutable backups for every tier of your environment - Kyber explicitly destroys shadow copies, boot repair, and in-place backup services. Apply the ESXi hardening guidance (disable SSH when not in use, require MFA on vCenter, enable execInstalledOnly, patch to the latest ESXi build) to cut the affiliate's preferred initial-access paths. Alert on: crontab modifications on ESXi hosts, 'vim-cmd vmsvc/getallvms' followed by mass power-off, the '.#~~~' and '.xhsyw' file extensions on any write, and Windows event log clears. Given affiliate-level overlap with other ransomware operations, also review access paths through internet-facing VPN gateways and RDP.