{"id":56241,"date":"2024-06-05T00:00:00","date_gmt":"2024-06-05T00:00:00","guid":{"rendered":"urn:uuid:4ba2d3ad-afe2-6c77-4f7a-01643daf9081"},"modified":"2024-06-05T00:00:00","modified_gmt":"2024-06-05T00:00:00","slug":"targetcompanys-linux-variant-targets-esxi-environments","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/","title":{"rendered":"TargetCompany\u2019s Linux Variant Targets ESXi Environments"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TargetCompanyLinux-Thumbnail:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"ransomware\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2024-06-05\"> <meta property=\"article:tag\" content=\"ransomware\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/f\/targetcompany-s-linux-variant-targets-esxi-environments.html\"> <title>TargetCompany\u2019s Linux Variant Targets ESXi Environments | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/f\/targetcompany-s-linux-variant-targets-esxi-environments.html\"><br \/>\n<meta property=\"og:title\" content=\"TargetCompany\u2019s Linux Variant Targets ESXi Environments\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/TargetCompanyLinux-Thumbnail.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"TargetCompany\u2019s Linux Variant Targets ESXi Environments\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/TargetCompanyLinux-Thumbnail.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.966721327289\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1523781889\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.281887755102\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.104591836735\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">In this blog entry, our researchers provide an analysis of TargetCompany ransomware\u2019s Linux variant and how it targets VMware ESXi environments using new methods for payload delivery and execution.<\/p>\n<p class=\"article-details__author-by\">By: Darrel Tristan Virtusio, Nathaniel Morales, Cj Arsley Mateo <time class=\"article-details__date\">June 05, 2024<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"37.279411764706\">\n<div readability=\"21.985294117647\">\n<p><b>Summary<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The TargetCompany ransomware group is now employing a new Linux variant that uses a custom shell script as a means of payload delivery and execution, a technique not seen in previous variants.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The shell script also exfiltrates the victim&#8217;s information to two different servers so the ransomware actors have a backup of the information.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The Linux-based variant can determine whether the victim&#8217;s machine is running in a VMWare ESXi environment.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">By targeting ESXi servers, the ransomware actors behind TargetCompany aim to disrupt operations more effectively and increase their chances of a ransom payout.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The TargetCompany affiliate linked to the ransomware sample points to a broader campaign that targets expansive IT systems.<\/span><\/li>\n<\/ul>\n<p>Discovered in June 2021, The <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-targetcompany\" target=\"_blank\" rel=\"noopener\">TargetCompany<\/a> <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/ransomware\" target=\"_blank\" rel=\"noopener\">ransomware<\/a> is tracked by Trend Micro as \u201cWater Gatpanapun\u201d and has a leak site under the name \u201cMallox.\u201d We have observed that the group\u2019s activity is highest in Taiwan, India, Thailand, and South Korea this year.<\/p>\n<p>Since its discovery, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/h\/targetcompany-ransomware-abuses-fud-obfuscator-packers.html\" target=\"_blank\" rel=\"noopener\">fully undetectable (FUD) obfuscator packers<\/a>.<\/p>\n<p>Recently, our threat hunting team discovered a new variant of the TargetCompany ransomware specifically targeting Linux environments. This variant uses a shell script for payload delivery and execution (Figure 1).&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure01.png\" alt=\"Figure 1. The infection chain of TargetCompany\u2019s Linux variant\"> <\/p>\n<p><figcaption>Figure 1. The infection chain of TargetCompany\u2019s Linux variant<\/figcaption><\/p>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"32.939024390244\">\n<div readability=\"16.243902439024\">\n<p>This technique has not yet been observed in previous TargetCompany variants, indicating that the ransomware group has been continuously evolving to employ more sophisticated methods in its future attacks. This recently found Linux variant aligns with the recent trend of <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/the-linux-threat-landscape-report\" target=\"_blank\" rel=\"noopener\">ransomware groups extending their attacks to critical Linux environments<\/a>, thereby potentially increasing the range of target victims.<\/p>\n<h4>TargetCompany\u2019s Linux variant<\/h4>\n<p>This latest variant checks whether the executable is running with administrative rights (Figure 2). Otherwise, it will not continue its malicious routine. This signifies that a compromised or vulnerable device was successfully exploited to gain administrative rights to execute the ransomware payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure02.png\" alt=\"Figure 2. Checking if the program is executed as superuser or root\"> <\/p>\n<p><figcaption>Figure 2. Checking if the program is executed as superuser or root<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<h4>Exfiltration of sensitive victim information&nbsp;<\/h4>\n<p>After its execution, it drops a text file named <i>TargetInfo.txt <\/i>that contains victim information, as shown in Figure 3. The contents of <i>TargetInfo.txt<\/i> will be sent to a command-and-control (C&amp;C) server, <i>hxxp:\/\/91[BLOCKED]<\/i>, with the file name <i>ap.php<\/i> (Figure 4). This behavior is similar to that of the ransomware\u2019s Windows variant.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure03.png\" alt=\"Figure 3. Dropped \u201cTargetInfo.txt\u201d file\"> <\/p>\n<p><figcaption>Figure 3. Dropped \u201cTargetInfo.txt\u201d file<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure04.png\" alt=\"Figure 4. Disassembly of data exfiltration to a C&amp;C server\"> <\/p>\n<p><figcaption>Figure 4. Disassembly of data exfiltration to a C&amp;C server<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<h4>Targeting ESXi environments<\/h4>\n<p>The threat actors behind TargetCompany have widened their targets to include virtualization servers, aiming to cause more damage and operational disruption. They also added a capability to detect if the machine is running in a VMWare ESXi environment, a platform commonly used for hosting critical virtualized infrastructure in organizations (Figure 5). Encrypting critical ESXi servers could also increase the likelihood of successful ransom payments.<\/p>\n<p>The binary performs a check by executing the command \u201cuname\u201d<b> <\/b>to determine whether the machine is running in a VMWare ESXi environment.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure05.png\" alt=\"Figure 5. Checking if running on ESXi environment\"> <\/p>\n<p><figcaption>Figure 5. Checking if running on ESXi environment<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>If the system name matches \u201cvmkernel\u201d, this indicates that the machine is running in VMware\u2019s ESXi hypervisor, and the binary enters \u201cVM mode&#8230;\u201d to encrypt files with the extensions in Figure 6.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure06.png\" alt=\"Figure 6. VM-related extensions \"> <\/p>\n<p><figcaption>Figure 6. VM-related extensions <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h4>File encryption and ransom note deployment<\/h4>\n<p>After its encryption routine, this variant appends the extension \u201c.locked\u201d on encrypted files and drops a ransom note named <i>HOW TO DECRYPT.txt<\/i> (Figure 7). This is a departure from the usual extension and ransom note file name of its Windows variant (Figure 8).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure07.png\" alt=\"Figure 7. Appended \u201c.locked\u201d extension on encrypted files\"> <\/p>\n<p><figcaption>Figure 7. Appended \u201c.locked\u201d extension on encrypted files<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure08.png\" alt=\"Figure 8. Ransom note\"> <\/p>\n<p><figcaption>Figure 8. Ransom note<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<h4>Execution of TargetCompany using a shell script<\/h4>\n<p>Upon further investigations, we found out that a shell script was used to download and execute the ransomware payload hosted in a designated URL. Figure 9 shows the custom-made shell script by the threat actors specifically to execute this TargetCompany variant. It first checks for the existence of the <i>TargetInfo.txt<\/i> file and terminates if found.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure09.png\" alt=\"Figure 9. Custom shell script for delivery and execution of payload\"> <\/p>\n<p><figcaption>Figure 9. Custom shell script for delivery and execution of payload<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The script attempts to download the TargetCompany payload from the download URL using \u201cwget\u201d or \u201ccurl,\u201d whichever works between the two commands. The payload is then made executable using the command \u201cchmod +x x\u201d and executed in the background using \u201cnohup .\/x\u201d (Figure 10).&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure10.png\" alt=\"Figure 10. Code snippet for downloading and executing TargetCompany\"> <\/p>\n<p><figcaption>Figure 10. Code snippet for downloading and executing TargetCompany<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The custom shell script is also capable of exfiltrating data to a different server. Once the ransomware payload performs its malicious routine, the script will read the contents of the dropped text file <i>TargetInfo.txt<\/i> and upload it to another URL using \u201cwget\u201d or \u201ccurl\u201d.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure11.png\" alt=\"Figure 11. Code snippet of data exfiltration to a C&amp;C server\"> <\/p>\n<p><figcaption>Figure 11. Code snippet of data exfiltration to a C&amp;C server<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"42\">\n<div readability=\"29\">\n<p>This variant exfiltrates victim information to two different servers. It is possible that the implantation of this technique is part of TargetCompany threat actors\u2019 strategy to improve redundancy and have a backup in case a server goes offline or is compromised.<\/p>\n<p>After the ransomware performs its routine, the script deletes the TargetCompany payload using the command \u201crm -f x\u201d.<\/p>\n<p>This technique is very common, but it still poses significant challenge for defenders. Security practitioners will have limited artifacts to work with during investigation and incident response, thus making it difficult to understand the overall impact of the attack.<\/p>\n<h4>Infrastructure<\/h4>\n<p>The IP address used to deliver the payload and exfiltrate a victim\u2019s system information has not yet been observed in previous TargetCompany campaigns. Based on research, this IP address is hosted by China Mobile Communications, an internet service provider (ISP) in China.<\/p>\n<p>Since the IP address is hosted by a service provider, there is a possibility that the IP address used by TargetCompany\u2019s threat actors was rented to host their malicious payload (Figure 12).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure12.png\" alt=\"Figure 12. HTTPS certificate\"> <\/p>\n<p><figcaption>Figure 12. HTTPS certificate<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The certificate also was recently registered and is valid for only three months, indicating that it might be intended for short-term use. Upon visiting the IP address, we found the following homepage that is similar to the Tongda Xinke OA login interface (Figure 13).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure13.png\" alt=\"Figure 13. Homepage of the URL used to host the ransomware payload\"> <\/p>\n<p><figcaption>Figure 13. Homepage of the URL used to host the ransomware payload<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.451523545706\">\n<div readability=\"10.817174515235\">\n<h4>Affiliate \u201cvampire\u201d<\/h4>\n<p>The specific sample shown in Figure 14 is associated with an affiliate called \u201cvampire,\u201d based on the contents it sends to its C&amp;C server. This indicates broader campaigns involving high ransom demands and expansive IT system targeting. This affiliate is possibly connected to the affiliate included in a blog entry posted by <a href=\"https:\/\/blog.sekoia.io\/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns\/#h-focus-vampire.\" target=\"_blank\" rel=\"noopener\">Sekoia<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/targetcompanys-linux-variant-targets-esxi-environments\/TargetCompanyLinux-Figure14.png\" alt=\"Figure 14. \u201cVampire\u201d-related strings\"> <\/p>\n<p><figcaption>Figure 14. \u201cVampire\u201d-related strings<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.77554438861\">\n<div readability=\"12.531825795645\">\n<h4>Conclusion<\/h4>\n<p>Malicious actors are consistently refining their attacks, as evidenced by the emergence of TargetCompany\u2019s new Linux variant, which allows the ransomware to expand its pool of potential victims by targeting VMWare ESXi environments. In light of this, staying vigilant against emerging ransomware variants should remain paramount among defenders. Implementing tried-and-tested cybersecurity measures can mitigate the risk of falling victim to ransomware attempts and protect the data integrity of an organization&#8217;s assets. Organizations can implement best practices by:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Enabling multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Adhering to <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/virtualization-and-cloud\/best-practices-backing-up-data\" target=\"_blank\" rel=\"noopener\">the 3-2-1 rule<\/a> when backing up important files \u2014 creating three backup copies on two different file formats, with one of the copies stored in a separate location<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/vulnerabilities-and-exploits\/virtual-patching-patch-those-vulnerabilities-before-they-can-be-exploited\" target=\"_blank\" rel=\"noopener\">Patching and updating systems<\/a> regularly; it\u2019s important to keep operating systems and applications up to date and maintain patch management protocols that can deter malicious actors from exploiting any software vulnerabilities.<\/span><\/li>\n<\/ul>\n<h4>Trend Vision One\u2122 hunting query<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">malName:*Linux.TARGETCOMP* AND eventName:MALWARE_DETECTION<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h4>Indicators of compromise (IOCs)<\/h4>\n<p><b>Hashes<\/b><\/p>\n<p><center><\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"17\">\n<tr>\n<td><b>Hash<\/b><\/td>\n<td><b>Detection<\/b><\/td>\n<td><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>dffa99b9fe6e7d3e19afba38c9f7ec739581f656<\/td>\n<td>Ransom.Linux.TARGETCOMP.YXEEQT<\/td>\n<td>TargetCompany Linux Variant<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>2b82b463dab61cd3d7765492d7b4a529b4618e57&nbsp;<\/td>\n<td>Trojan.SH.TARGETCOMP.THEAGBD<\/td>\n<td>Shell Script<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>9779aa8eb4c6f9eb809ebf4646867b0ed38c97e1<\/td>\n<td>Ransom.Win64.TARGETCOMP.YXECMT<\/td>\n<td>TargetCompany samples related to affiliate vampire&nbsp;&nbsp;<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>3642996044cd85381b19f28a9ab6763e2bab653c<\/td>\n<td>Ransom.Win64.TARGETCOMP.YXECFT<\/td>\n<td>TargetCompany samples related to affiliate vampire&nbsp;&nbsp;<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>4cdee339e038f5fc32dde8432dc3630afd4df8a2<\/td>\n<td>Ransom.Win32.TARGETCOMP.SMYXCLAZ<\/td>\n<td>TargetCompany samples related to affiliate vampire&nbsp;&nbsp;<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>0f6bea3ff11bb56c2daf4c5f5c5b2f1afd3d5098<\/td>\n<td>Ransom.Win32.TARGETCOMP.SMYXCLAZ<\/td>\n<td>TargetCompany samples related to affiliate vampire&nbsp;&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<p><b>URLs<\/b><\/p>\n<p><center><\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"4\">\n<tr>\n<td><b>URL<\/b><\/td>\n<td><b>Detection<\/b><\/td>\n<td><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxp:\/\/111.10.231[.]151:8168\/general\/vmeet\/upload\/temp\/x.sh<\/td>\n<td>90 &#8211; Untested<\/td>\n<td>Download URL of script<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>hxxp:\/\/111.10.231[.]151:8168\/general\/vmeet\/upload\/temp\/x<\/td>\n<td>79 \u2013 Disease Vector<\/td>\n<td>Download URL of ransomware payload<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxp:\/\/111.10.231[.]151:8168\/general\/vmeet\/upload\/temp\/post.php<\/td>\n<td>79 \u2013 Disease Vector<\/td>\n<td>Upload URL<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h4>MITRE ATT&amp;CK tactics and techniques<\/h4>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"5\">\n<tr>\n<td width=\"208\" valign=\"top\"><b>Tactic<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Technique<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>ID<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\"><b>Defense Evasion<\/b><\/td>\n<td width=\"208\" valign=\"top\">File Deletion<\/td>\n<td width=\"208\" valign=\"top\">T1070.004<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\"><b>Discovery<\/b><\/td>\n<td width=\"208\" valign=\"top\">System Information Discovery<\/td>\n<td width=\"208\" valign=\"top\">T1082<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\"><b>Execution<\/b><\/td>\n<td width=\"208\" valign=\"top\">Command and Scripting Interpreter: Unix Shell<\/td>\n<td width=\"208\" valign=\"top\">T1059.004<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\"><b>Command and Control<\/b><\/td>\n<td width=\"208\" valign=\"top\">Ingress Tool Transfer<\/td>\n<td width=\"208\" valign=\"top\">T1105<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" rowspan=\"2\" valign=\"top\"><b>Exfiltration<\/b><\/td>\n<td width=\"208\" valign=\"top\">Exfiltration over Alternative Protocol<\/td>\n<td width=\"208\" valign=\"top\">T1408<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Exfiltration over C2 Channel<\/td>\n<td width=\"208\" valign=\"top\">T1041<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\"><b>Impact<\/b><\/td>\n<td width=\"208\" valign=\"top\">Data Encrypted for Impact<\/td>\n<td width=\"208\" valign=\"top\">T1486<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/f\/targetcompany-s-linux-variant-targets-esxi-environments.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog entry, our researchers provide an analysis of TargetCompany ransomware\u2019s Linux variant and how it targets VMware ESXi environments using new methods for payload delivery and execution. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9539],"class_list":["post-56241","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-ransomware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>TargetCompany\u2019s Linux Variant Targets ESXi Environments 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"TargetCompany\u2019s Linux Variant Targets ESXi Environments 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-06-05T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TargetCompanyLinux-Thumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"TargetCompany\u2019s Linux Variant Targets ESXi Environments\",\"datePublished\":\"2024-06-05T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/\"},\"wordCount\":1552,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/TargetCompanyLinux-Thumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Ransomware\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/\",\"name\":\"TargetCompany\u2019s Linux Variant Targets ESXi Environments 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/TargetCompanyLinux-Thumbnail:Large?qlt=80\",\"datePublished\":\"2024-06-05T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/TargetCompanyLinux-Thumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/TargetCompanyLinux-Thumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/targetcompanys-linux-variant-targets-esxi-environments\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Ransomware\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-ransomware\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"TargetCompany\u2019s Linux Variant Targets ESXi Environments\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TargetCompany\u2019s Linux Variant Targets ESXi Environments 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/","og_locale":"en_US","og_type":"article","og_title":"TargetCompany\u2019s Linux Variant Targets ESXi Environments 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-06-05T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TargetCompanyLinux-Thumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"TargetCompany\u2019s Linux Variant Targets ESXi Environments","datePublished":"2024-06-05T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/"},"wordCount":1552,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TargetCompanyLinux-Thumbnail:Large?qlt=80","keywords":["Trend Micro Research : Ransomware"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/","url":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/","name":"TargetCompany\u2019s Linux Variant Targets ESXi Environments 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TargetCompanyLinux-Thumbnail:Large?qlt=80","datePublished":"2024-06-05T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TargetCompanyLinux-Thumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TargetCompanyLinux-Thumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/targetcompanys-linux-variant-targets-esxi-environments\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Ransomware","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-ransomware\/"},{"@type":"ListItem","position":3,"name":"TargetCompany\u2019s Linux Variant Targets ESXi Environments"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56241"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56241\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}