Since February 2026, a new ransomware group operating under the name Payload has been conducting active double extortion campaigns against organizations across multiple sectors and geographies. In less than two months of observed activity, the group has claimed twenty-six victims across seven countries, declared 2,603 gigabytes of exfiltrated data, and demonstrated a level of technical sophistication that places it well above opportunistic ransomware operations. The combination of ESXi-specific encryption logic, ETW patching, and a fully operational Tor-based infrastructure from the outset indicates either experienced operators or access to a mature toolkit.
Payload operates two distinct binaries sharing a common cryptographic scheme: Curve25519 ECDH combined with ChaCha20 for per-file key generation. The ESXi variant is a Linux ELF64 binary of approximately 39,904 bytes. Strings are RC4-obfuscated with the three-byte key FBI. Before any encryption activity, the binary performs an anti-debug check via /proc/self/status, then parses VMware’s vmInventory.xml to enumerate all datastores and VMDK paths. Virtual machines are powered off via vim-cmd before encryption begins. Thread pool workers are named FBIthread-pool — a forensic artifact visible in standard process listing. The ransom note replaces the ESXi web management interface at /usr/lib/vmware/hostd/docroot/ui/welcome.txt.
The Windows variant, compiled on February 17, 2026, is derived from the Babuk codebase that leaked in September 2021, with HC-128 replaced by ChaCha20 and significant anti-forensic additions. Key capabilities include ETW patching of four ntdll.dll functions — EtwEventWrite, EtwEventWriteFull, EtwEventWriteTransfer, and EtwRegister — silently blinding EDR solutions that depend on ETW telemetry. The mutex MakeAmericaGreatAgain is a reliable operator fingerprint. The binary terminates thirty-four services including Veeam, Acronis, BackupExec, Symantec, and Sophos, wipes Windows event logs, deletes shadow copies, and self-deletes via NTFS alternate data stream without spawning a child process.
For detection: deploy the YARA rule published by Abdullah Islam covering the ESXi variant. Monitor for MakeAmericaGreatAgain mutex, .payload extension, and ETW function patches in ntdll.dll. Any EDR stack relying exclusively on ETW-based telemetry should be reviewed immediately. ESXi management interfaces must sit behind a dedicated management VLAN. Immutable or air-gapped backup storage remains the only reliable recovery path if encryption completes before detection.
Sources
- GBHackers – Payload ransomware hits Windows and ESXi with Babuk-style encryption : https://gbhackers.com/payload-ransomware/
- CyberSecurityNews – New Payload ransomware uses Babuk-style encryption against Windows and ESXi systems : https://cybersecuritynews.com/new-payload-ransomware-uses-babuk-style-encryption/
- CyberPress – Payload hits Windows and ESXi : https://cyberpress.org/payload-hits-windows-esxi/
Don’t think, patch!
Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/
#RadioCSIRT #CyberSecurity #Ransomware #ThreatIntelligence #CTI #Payload #ESXi #VMware #Windows