RadioCSIRT English Edition – A new ransomware group operating under the name Payload - Ep.74 episode artwork

EPISODE · Apr 12, 2026 · 11 MIN

RadioCSIRT English Edition – A new ransomware group operating under the name Payload - Ep.74

from RadioCSIRT - English Edition · host Marc Frédéric GOMEZ

Since February 2026, a new ransomware group operating under the name Payload has been conducting active double extortion campaigns against organizations across multiple sectors and geographies. In less than two months of observed activity, the group has claimed twenty-six victims across seven countries, declared 2,603 gigabytes of exfiltrated data, and demonstrated a level of technical sophistication that places it well above opportunistic ransomware operations. The combination of ESXi-specific encryption logic, ETW patching, and a fully operational Tor-based infrastructure from the outset indicates either experienced operators or access to a mature toolkit.Payload operates two distinct binaries sharing a common cryptographic scheme: Curve25519 ECDH combined with ChaCha20 for per-file key generation. The ESXi variant is a Linux ELF64 binary of approximately 39,904 bytes. Strings are RC4-obfuscated with the three-byte key FBI. Before any encryption activity, the binary performs an anti-debug check via /proc/self/status, then parses VMware's vmInventory.xml to enumerate all datastores and VMDK paths. Virtual machines are powered off via vim-cmd before encryption begins. Thread pool workers are named FBIthread-pool — a forensic artifact visible in standard process listing. The ransom note replaces the ESXi web management interface at /usr/lib/vmware/hostd/docroot/ui/welcome.txt.The Windows variant, compiled on February 17, 2026, is derived from the Babuk codebase that leaked in September 2021, with HC-128 replaced by ChaCha20 and significant anti-forensic additions. Key capabilities include ETW patching of four ntdll.dll functions — EtwEventWrite, EtwEventWriteFull, EtwEventWriteTransfer, and EtwRegister — silently blinding EDR solutions that depend on ETW telemetry. The mutex MakeAmericaGreatAgain is a reliable operator fingerprint. The binary terminates thirty-four services including Veeam, Acronis, BackupExec, Symantec, and Sophos, wipes Windows event logs, deletes shadow copies, and self-deletes via NTFS alternate data stream without spawning a child process.For detection: deploy the YARA rule published by Abdullah Islam covering the ESXi variant. Monitor for MakeAmericaGreatAgain mutex, .payload extension, and ETW function patches in ntdll.dll. Any EDR stack relying exclusively on ETW-based telemetry should be reviewed immediately. ESXi management interfaces must sit behind a dedicated management VLAN. Immutable or air-gapped backup storage remains the only reliable recovery path if encryption completes before detection.SourcesGBHackers – Payload ransomware hits Windows and ESXi with Babuk-style encryption : https://gbhackers.com/payload-ransomware/CyberSecurityNews – New Payload ransomware uses Babuk-style encryption against Windows and ESXi systems : https://cybersecuritynews.com/new-payload-ransomware-uses-babuk-style-encryption/CyberPress – Payload hits Windows and ESXi : https://cyberpress.org/payload-hits-windows-esxi/Don't think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #Ransomware #ThreatIntelligence #CTI #Payload #ESXi #VMware #Windows

NOW PLAYING

RadioCSIRT English Edition – A new ransomware group operating under the name Payload - Ep.74

0:00 11:53

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Al-Quran In English Dr. Soha The complete Quran translation in English, Narrated by Dr. Soha. Hosted on Acast. See acast.com/privacy for more information. The Hobbit by J. R. R. Tolkien Audiobook Raghvendra Singh The journey through Middle-earth begins here with J.R.R. Tolkien's classic prelude to his Lord of the Rings trilogy.“A glorious account of a magnificent adventure, filled with suspense and seasoned with a quiet humor that is irresistible... All those, young or old, who love a fine adventurous tale, beautifully told, will take The Hobbit to their hearts.”—The New York Times Book Review"In a hole in the ground there lived a hobbit." So begins one of the most beloved and delightful tales in the English language—Tolkien's prelude to The Lord of the Rings. Set in the imaginary world of Middle-earth, at once a classic myth and a modern fairy tale, The Hobbit is one of literature's most enduring and well-loved novels.Bilbo Baggins is a hobbit who enjoys a comfortable, unambitious life, rarely traveling any farther than his pantry or cellar. But his contentment is disturbed when the wizard Gandalf and a company of dwarves arrive on his doorstep one day to whisk him away CLO Level 3 Lessons Chinese Learn Online (CLO) Learn Mandarin Chinese with our unique structured immersion course. Each lesson continues where the previous one left off. Level 1 lessons are conducted mainly in English. Later levels in the course will be conducted in Chinese that was taught in earlier levels. Learn English with the British Council and Premier League Jack Radford

Frequently Asked Questions

How long is this episode of RadioCSIRT - English Edition?

This episode is 11 minutes long.

When was this RadioCSIRT - English Edition episode published?

This episode was published on April 12, 2026.

What is this episode about?

Since February 2026, a new ransomware group operating under the name Payload has been conducting active double extortion campaigns against organizations across multiple sectors and geographies. In less than two months of observed activity, the group...

Can I download this RadioCSIRT - English Edition episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!