This dangerous new Linux malware is going after VMware systems with multiple extortion attempts

ID theft
Image credit: Pixabay (Image credit: Future)

Cybersecurity researchers from Trend Micro recently found a Linux variant of the dreaded Play ransomware strain targeting VMWare ESXi environments.

In a technical breakdown, Trend Micro’s Threat Hunting team said this was the first time Play was seen targeting ESXi environments, and it could be that the criminals are broadening their attacks across the Linux platform, giving them an expanded victim pool and more successful ransom negotiations.

Play was first spotted more than two years ago, and since then it became popular for its double-extortion tactics, evasion techniques, custom-built tools, and a “substantial impact” on companies in Latin America, the researchers explained.

Prolific Puma and Revolver Rabbit

Businesses usually use VMWare’s ESXi instances for virtual machines, where they host critical applications, data, and integrated backup solutions. By targeting these endpoints, Play’s operators could reduce the chances of the victim recovering any encrypted data. Therefore, their negotiation position becomes that much better. Besides going after Linux endpoints, the new variant was also able to successfully evade security detections, Trend Micro added.

Analyzing the infrastructure used for these campaigns, the researchers found a peculiarity - the URL used to host the encryptor is related to a threat actor known as Prolific Puma. This group is known for offering URL-shortening services to criminals, making phishing attacks more convincing, and thus, more disruptive. 

In late 2023, researchers Infoblox discovered a major link-shortening operation in which the criminals would use a registered domain generation algorithm (RDGA) to create domain names in bulk. Then, they would use those domains to provide a link-shortening service to other malicious actors.

Earlier this month, the same company found a threat actor called Revolver Rabbit using RDGAs to register more than 500,000 domains, an effort on which they spent more than a million dollars. The hacker used the RDGA to create command and control (C2) and decoy domains for the XLoader infostealing malware.

Via The Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person holding out their hand with a digital AI symbol.
This ransomware gang is using SSH tunnels to target VMware appliances
Close up of the Linux penguin.
A new Linux backdoor is hitting US universities and governments
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Interlock ransomware attacks highlight need for greater security standards on critical infrastructure
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all