{"id":56613,"date":"2024-07-19T00:00:00","date_gmt":"2024-07-19T00:00:00","guid":{"rendered":"urn:uuid:79d076a6-d201-92a4-9cc7-9bb1f62a2b18"},"modified":"2024-07-19T00:00:00","modified_gmt":"2024-07-19T00:00:00","slug":"play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/","title":{"rendered":"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/playlinux-cover-976:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"endpoints,ransomware,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2024-07-19\"> <meta property=\"article:tag\" content=\"ransomware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\"> <title>New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\"><br \/>\n<meta property=\"og:title\" content=\"New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma\"><br \/>\n<meta property=\"og:description\" content=\"Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/playlinux-cover-976.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma\"><br \/>\n<meta name=\"twitter:description\" content=\"Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/playlinux-cover-976.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.565266958009\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"694029743\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"11.278846153846\">\n<div class=\"article-details\" role=\"heading\" readability=\"42.173076923077\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more.<\/p>\n<p class=\"article-details__author-by\">By: Cj Arsley Mateo, Darrel Tristan Virtusio, Sarah Pearl Camiling, Andrei Alimboyao, Nathaniel Morales, Jacob Santos, Earl John Bareng <time class=\"article-details__date\">July 19, 2024<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"40.101825842697\">\n<div readability=\"25.744382022472\">\n<p><b>Summary:<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-play\">Play<\/a> <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/ransomware\">ransomware<\/a> group, known for its double-extortion tactic, now has a Linux variant targeting ESXi environments.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Most attacks this year have been concentrated in the US.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">This ransomware verifies if it is running on an ESXi environment before executing. It has successfully evaded security measures, as indicated by VirusTotal.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The Play ransomware group appears to be using the services and infrastructure peddled by the Prolific Puma group.<br \/>&nbsp;<\/span><\/li>\n<\/ul>\n<p>Our Threat Hunting team uncovered a Linux variant of the Play ransomware that only encrypts files when running in a VMWare ESXi environment. First detected in June 2022, the Play ransomware group became notable for its double-extortion tactic, evasion techniques, custom-built tools, and substantial impact on various organizations in Latin America.<\/p>\n<p>This is the first time that we\u2019ve observed Play ransomware targeting ESXi environments. This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations.<\/p>\n<p>VMWare ESXi environments are commonly used by businesses to run multiple virtual machines (VMs). They often host critical applications and data, and normally include integrated backup solutions. Compromising them can significantly disrupt business operations and even encrypt backups, which further reduces the victim\u2019s capability to recover data.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"7\">\n<figure class=\"image-figure\" readability=\"4\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/Fig-1.png\" alt=\"Based on ransomware.live, the US is the top country with the most victim counts by the Play ransomware group from January to July 2024\"> <\/p>\n<p><figcaption>Figure 1. Based on ransomware.live, the US is the top country with the most victim counts by the Play ransomware group from January to July 2024<\/figcaption><\/p>\n<\/figure><\/div>\n<div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/Fig-2.png\" alt=\"Manufacturing and professional services are the top industries affected by the Play ransomware group from January to July 2024\"> <\/p>\n<p><figcaption> Figure 2. Manufacturing and professional services are the top industries affected by the Play ransomware group from January to July 2024<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The submitted sample in VirusTotal indicates that it has managed to evade security detections. In our analysis, we found that the Linux variant is compressed in a RAR file with its Windows variant and is hosted in the URL, <i>hxxp:\/\/108.[BLOCKED].190\/FX300.rar<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-3.png\" alt=\"The Linux variant of Play ransomware showed 0 detections in VirusTotal.\"> <\/p>\n<p><figcaption>Figure 3. The Linux variant of Play ransomware showed 0 detections in VirusTotal.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"28.424242424242\">\n<div readability=\"10.181818181818\">\n<p>This IP address contains tools that were used by Play ransomware <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/i\/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\">in their previous attacks<\/a> \u2014 including PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor. &nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/Fig-4.png\" alt=\"The infection chain of the Linux variant of Play ransomware includes the use of several tools.\"> <\/p>\n<p><figcaption>Figure 4. The infection chain of the Linux variant of Play ransomware includes the use of several tools.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"41\">\n<div class=\"responsive-table-wrap\" readability=\"27\">\n<p>Figure 4 shows the infection chain of this ransomware variant. Though no actual infection has been observed, the command-and-control (C&amp;C) server hosts the common tools that Play ransomware currently uses in its attacks. This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs).<\/p>\n<h2><span class=\"body-subhead-title\">Infection Routine of the Linux Variant of Play Ransomware<\/span><\/h2>\n<p>Like its Windows variant, the sample accepts command-line arguments, but their behaviors are still unknown.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"6\">\n<tr readability=\"6\">\n<td width=\"156\" valign=\"top\" readability=\"5\">\n<p><b>Play Ransomware Windows Variant<\/b><\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p><b>Description<\/b><\/p>\n<\/td>\n<td width=\"156\" valign=\"top\" readability=\"5\">\n<p><b>Play Ransomware Linux Variant<\/b><\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p><b>Description<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"156\" valign=\"top\">\n<p>-mc<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\" readability=\"5\">\n<p>Execute normal functionality; same as no command-line argument<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p>-p<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p>N\/A<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"156\" valign=\"top\">\n<p>-d &lt;drive path&gt;&nbsp;<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p>Encrypt a specific drive<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p>-f<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p>N\/A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"156\" valign=\"top\" readability=\"5\">\n<p>-ip &lt;shared resource path&gt; &lt;username&gt; &lt;password&gt;<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\" readability=\"5\">\n<p>Encrypt network shared resource<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p>-s<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p>N\/A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"156\" valign=\"top\">\n<p>-p &lt;path&gt;<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\" readability=\"5\">\n<p>Encrypt a specific folder\/file<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p>-e<\/p>\n<\/td>\n<td width=\"156\" valign=\"top\">\n<p>N\/A<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>Table 1. The command-line arguments of the Windows and Linux variants of Play ransomware include commands for encrypting drives, files, and network shared resources.<\/i><\/p>\n<p>The sample runs ESXi-related commands to check that it is running in an ESXi environment before performing its malicious routines. Otherwise, it will terminate and delete itself.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-5.png\" alt=\"Error logs indicate that the vim-cmd and esxcli commands are missing. These commands are specific to the ESXi environment. \"> <\/p>\n<p><figcaption>Figure 5. Error logs indicate that the vim-cmd and esxcli commands are missing. These commands are specific to the ESXi environment. <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>We also found a series of shell script commands that the sample executes once it is running in an ESXi environment. The command below is responsible for scanning and powering off all VMs found in the environment:<\/p>\n<p><span class=\"blockquote\">\/bin\/sh -c \u201cfor vmid in $(vim-cmd vmsvc\/getallvms | grep -v Vmid | awk &#8216;{print $1}&#8217;); do vim-cmd vmsvc\/power.off $vmid; done&#8221;<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"7.5\">\n<figure class=\"image-figure\" readability=\"5\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-6.png\" alt=\"Once the ransomware runs successfully, it turns off any running VMs using the command, esxcli.\"> <\/p>\n<p><figcaption>Figure 6: Once the ransomware runs successfully, it turns off any running VMs using the command, esxcli.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p>This command is responsible for setting a custom welcome message on the ESXi host:<\/p>\n<p><span class=\"blockquote\"><i>\/<\/i>bin\/sh -c \u201cesxcli system welcomemsg set -m=\\&#8221;<\/span><i> <\/i>&nbsp;<\/p>\n<p>Once the ransomware executes the series of ESXi-related commands, it proceeds to encrypt VM files, including VM disk, configuration, and metadata files. The VM disk file, for example, contains critical data, including applications and user data.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-7.png\" alt=\"List of extensions to be encrypted\"> <\/p>\n<p><figcaption>Figure 7. List of extensions to be encrypted<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>After completing the process, most of the encrypted files inside the guest OS \u201cubuntu\u201d (as an example) are appended with the extension \u201c.PLAY\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-8.png\" alt=\"Most of the VM files encrypted by the ransomware will have the .PLAY extension.\"> <\/p>\n<p><figcaption>Figure 8. Most of the VM files encrypted by the ransomware will have the .PLAY extension.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>It will also drop a ransom note in the root directory, which is also displayed in the login portal of the ESXi client.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-9.png\" alt=\"The ransom note named PLAY_Readme.txt contains links to the Tor network. \"> <\/p>\n<p><figcaption>Figure 9. The ransom note named PLAY_Readme.txt contains links to the Tor network. <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-10.png\" alt=\"The login portal of the affected ESXi server also displays the ransom note. \"> <\/p>\n<p><figcaption>Figure 10. The login portal of the affected ESXi server also displays the ransom note. <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-11.png\" alt=\"Once the ESXi system is rebooted, the ransom note will also appear in the console.\"> <\/p>\n<p><figcaption>Figure 11. Once the ESXi system is rebooted, the ransom note will also appear in the console.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<h2><span class=\"body-subhead-title\">Exploring the Connection Between Prolific Puma and Play Ransomware<\/span><\/h2>\n<p>Monitoring the external activities of the suspicious IP address, we saw that the URL used to host the ransomware payload and its tools is related to another threat actor, which is named Prolific<b> <\/b>Puma<b>. <\/b>&nbsp;&nbsp;<\/p>\n<p>Prolific Puma is known to generate domain names using a random destination generator algorithm (RDGA) and utilizes them to offer a link-shortening service to fellow cybercriminals, who then use it to avoid detection while disseminating phishing schemes, scams, and malware.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-12.png\" alt=\"The VirusTotal result of the URL mentions Prolific Puma.\"> <\/p>\n<p><figcaption>Figure 12. The VirusTotal result of the URL mentions Prolific Puma.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div class=\"responsive-table-wrap\" readability=\"9\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"11\">\n<tr>\n<td width=\"125\" valign=\"top\">\n<p><b>SUBJECT<\/b>&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p><b>SUBJECT-TYPE<\/b>&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p><b>INDICATOR <\/b>&nbsp;&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p><b>DETECTION<\/b><\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p><b>DESCRIPTION<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"125\" valign=\"top\">\n<p>108][.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108 [.]61[.]142[.]190\/<\/p>\n<p>FX300.rar&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>95 &#8211; Ransomware&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>Hosting URL for Play Ransomware binary&nbsp;&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"125\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108 [.]61[.]142[.]190\/<\/p>\n<p>1.dll.sa&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>79 -Disease Vector&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>Hosting URL for Coroxy backdoor&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"125\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108 [.]61[.]142[.]190\/<\/p>\n<p>64.zip&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>79 \u2013 Disease Vector<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>Hosting URL for NetScan&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"125\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108 [.]61[.]142[.]190\/<\/p>\n<p>winrar-x64-611.exe&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Untested&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Hosting URL for WinRAR&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"125\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108 [.]61[.]142[.]190\/<\/p>\n<p>PsExec.exe&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Untested&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Hosting URL for PsExec&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td width=\"125\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108 [.]61[.]142[.]190\/<\/p>\n<p>host1.sa&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>78 &#8211; Malware Accomplice&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\" readability=\"5\">\n<p>Hosting URL for Coroxy backdoor&nbsp;<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>Table 2. The different tools of Play ransomware resolve to several IP addresses<\/i>.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p><b>SUBJECT<\/b>&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p><b>SUBJECT-TYPE<\/b>&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p><b>INDICATOR <\/b>&nbsp;&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p><b>INDICATOR-TYPE<\/b>&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p><b>REGISTRAR<\/b> <b>&nbsp;<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>ztqs[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Porkbun, LLC&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>zfrb[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Porkbun, LLC&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>xzdw[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Porkbun, LLC&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>iing[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Porkbun, LLC&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>mcmb[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameCheap, Inc&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>lcmr[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameCheap, Inc&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>thfq[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameCheap, Inc&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>hibh[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameCheap, Inc&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>iwqe[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameCheap, Inc&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>ukwc[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameCheap, Inc&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>apkh[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameCheap, Inc&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>vqbl[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameSilo, LLC&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>vgkb[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameSilo, LLC&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\" valign=\"top\">\n<p>108 [.]61[.]142[.]190&nbsp;<\/p>\n<\/td>\n<td width=\"106\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>znuc[.]info&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"125\" valign=\"top\">\n<p>NameSilo, LLC&nbsp;<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>Table 3. The IP addresses hosting the Play ransomware<\/i> <i>resolves to different domains.<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-13.png\" alt=\"Prolific Puma uses numerous registered domains. \"> <\/p>\n<p><figcaption>Figure 13. Prolific Puma uses numerous registered domains. <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-14.png\" alt=\"A shortened link created by Prolific Puma correlates with the observed IP address associated with Play ransomware\"> <\/p>\n<p><figcaption>Figure 14. A shortened link created by Prolific Puma correlates with the observed IP address associated with Play ransomware<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.254385964912\">\n<div readability=\"15.438596491228\">\n<p>Tables 2 and 3 display the domains, particularly DGAs, that resolve to the IP address alongside the Play ransomware toolkit. These domains are registered under different registrar names. Our research indicates that Prolific Puma typically uses three to four random characters on their registered domain. The sample registered domains by Prolific Puma in the tables match the domains that resolve to the IP address associated with Play ransomware.<\/p>\n<p>Additionally, the message showed when accessing one of the domains matches the one mentioned by other <a href=\"https:\/\/blogs.infoblox.com\/threat-intelligence\/prolific-puma-shadowy-link-shortening-service-enables-cybercrime\/\" target=\"_blank\" rel=\"noopener\">security researchers<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-15a.png\" alt=\"Accessing different domains shows the same message about link-shortening services.\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-15b.png\" alt=\"Accessing different domains shows the same message about link-shortening services.\"> <\/p>\n<p><figcaption>Figure 15. Accessing different domains shows the same message about link-shortening services.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div class=\"responsive-table-wrap\" readability=\"11\">\n<p>To further verify the connection between the two groups, the team also tested the Coroxy backdoor hosted in the same IP address. Black-box analysis shows that the Coroxy backdoor was observed connecting to 45[.]76[.]165[.]129. This IP address also resolves to various domains associated with Prolific Puma.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-16.png\" alt=\"The Coroxy backdoor used by Play ransomware has been detected establishing a connection to the specified IP address. \"> <\/p>\n<p><figcaption>Figure 16. The Coroxy backdoor used by Play ransomware has been detected establishing a connection to the specified IP address. <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div class=\"responsive-table-wrap\" readability=\"13\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p><b>SUBJECT<\/b><\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p><b>SUBJECT-TYPE<\/b><\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p><b>INDICATOR <\/b>&nbsp;<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p><b>INDICATOR-TYPE<\/b><\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p><b>REGISTRAR<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45[.]76[.]165[.]129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>jhrd[.]me<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.] 129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>pkil[.]me<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.] 129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>kwfw[.]me<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.] 129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>whry[.]me<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.] 129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>pxkt[.]me<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.] 129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>ylvq[.]me<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.]129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>flbe[.]link<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.]129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>mmhp[.]link<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.] 129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>gunq[.]link<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.] 129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>ojry[.]link<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">\n<p>45 [.]76[.]165[.] 129&nbsp;<\/p>\n<\/td>\n<td width=\"83\" valign=\"top\">\n<p>IP address&nbsp;<\/p>\n<\/td>\n<td width=\"98\" valign=\"top\">\n<p>bltr[.]me<\/p>\n<\/td>\n<td width=\"121\" valign=\"top\">\n<p>Domain (RDGA)&nbsp;<\/p>\n<\/td>\n<td width=\"118\" valign=\"top\">\n<p>NameSilo, LLC<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>Table 4. Different domains resolve to the IP address of the Coroxy backdoor connection<\/i>.<\/p>\n<p>The IP address that the Coroxy backdoor connects to also resolves to different domains that matches the registered domains of Prolific Puma. By further examining the IP address, \u201cvultrusercontent.com\u201d is appended and matches the original IP, as shown in Figure 17.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-17.png\" alt=\"A Shodan query of the IP address hosting Play ransomware reveals some details on its associated infrastructure. \"> <\/p>\n<p><figcaption>Figure 17. A Shodan query of the IP address hosting Play ransomware reveals some details on its associated infrastructure. <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Comparison of the IP address that hosted Play ransomware and its tools with another IP address related to Prolific Puma shows that both IP addresses have the same autonomous system number (ASN). This means that they belong in the same network and are being managed by the same network provider.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/fig-18.png\" alt=\"The IP address hosting the ransomware (left) and the IP address related to Prolific Puma from (right) have similarities.\"> <\/p>\n<p><figcaption>Figure 18. The IP address hosting the ransomware (left) and the IP address related to Prolific Puma from (right) have similarities.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"39.309900309385\">\n<div class=\"responsive-table-wrap\" readability=\"23.884496390512\">\n<p>Prolific Puma is discerning in its client selection process, preferring to engage with individuals or groups deemed deserving of its services. Given the established reputation of the threat actors behind Play ransomware, they might be considered a suitable candidate to access Prolific Puma\u2019s offerings. These findings suggest a potential collaboration between these cybercriminal entities. The Play ransomware group, too, might be seeking to enhance its capabilities in circumventing defensive security protocols through Prolific Puma\u2019s services.<\/p>\n<h2><span class=\"body-subhead-title\">Mitigating ransomware attacks on ESXi environments<\/span><\/h2>\n<p>ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations. The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals. To mitigate risks and exposure to these attacks, organizations should implement several best practices:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Regular patching and updates: Keep the ESXi environment and associated management software up to date to protect against known vulnerabilities.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Virtual patching: Many organizations may not patch or update their ESXi environments as frequently as they should due to complexity, downtime concerns, resource constraints, operational priorities, or compatibility issues. Virtual patching helps by applying security measures at the network level to protect vulnerable systems, mitigating risks without needing to alter the underlying software immediately.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Addressing inherent misconfigurations: Regularly audit and correct misconfigurations within ESXi environments, as these can create vulnerabilities that ransomware can exploit. Implementing strong configuration management practices can help ensure that settings adhere to security best practices and reduce the risk of exploitation.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Strong access controls: Implement robust authentication and authorization mechanisms, such as multifactor authentication (MFA), and restrict administrative access.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Network segmentation: Segregate critical systems and networks to limit the spread of ransomware.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Minimized attack surface: Disable unnecessary and unused services and protocols, restrict access to critical management interfaces, and implement strict firewall rules to limit network exposure. VMWare provides various guidelines and <a href=\"https:\/\/docs.vmware.com\/en\/VMware-vSphere\/7.0\/com.vmware.vsphere.security.doc\/GUID-412EF981-D4F1-430B-9D09-A4679C2D04E7.html\" target=\"_blank\" rel=\"noopener\">best practices<\/a> on how to secure ESXi environments.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Regular offline backups: Maintain frequent and secure backups of all critical data. Ensure that backups are stored offline and tested regularly to verify their integrity.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Security monitoring and incident response: Deploy solutions and develop an incident response plan to promptly and proactively address suspicious activities.&nbsp;&nbsp;<\/span><\/li>\n<\/ul>\n<p><b>Trend Micro Vision One Hunting Query<\/b><\/p>\n<p>The following text lists potentially useful queries for threat hunting within Vision One:<\/p>\n<ul>\n<li><span class=\"blockquote\">malName:*Linux.PLAYDE* AND eventName:MALWARE_DETECTION<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div class=\"responsive-table-wrap\" readability=\"9\">\n<p><b><u>Indicators of Compromise (IoC)<\/u><\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"11\">\n<tr>\n<td width=\"207\" valign=\"top\">\n<p><b><u>IOC<\/u><\/b><\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p><b><u>Detection<\/u><\/b><\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p><b><u>Description<\/u><\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>2a5e003764180eb3531443946d2f3c80ffcb2c30<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>Ransom.Linux.PLAYDE.YXEE3T<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>ELF Binary<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108.61.142[.]190\/FX300.rar<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>95 &#8211; Ransomware<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>Hosting URL for Play Ransomware Binary<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"207\" valign=\"top\">\n<p>108.61.142[.]190<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>Untested<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>Observed IP address<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108.61.142[.]190\/1.dll.sa<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>79 &#8211; Disease Vector<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>Hosting URL for Coroxy Backdoor<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108.61.142[.]190\/64.zip<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>79 &#8211; Disease Vector<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>Hosting URL for NetScan<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108.61.142[.]190\/winrar-x64-611.exe<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>Untested<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>Hosting URL for WinRAR<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108.61.142[.]190\/PsExec.exe<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>Untested<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>Hosting URL for PsExec<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>hxxp:\/\/108.61.142[.]190\/host1.sa<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\">\n<p>78 &#8211; Malware Accomplice<\/p>\n<\/td>\n<td width=\"207\" valign=\"top\" readability=\"5\">\n<p>Hosting URL for Coroxy Backdoor<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b><u>MITRE ATT&amp;CK Tactics and Techniques:<\/u><\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"7\">\n<tr>\n<td width=\"207\">\n<p><b>Tactic<\/b><\/p>\n<\/td>\n<td width=\"207\">\n<p><b>Tactic<\/b><\/p>\n<\/td>\n<td width=\"207\">\n<p><b>ID<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"207\">\n<p><b>Defense Evasion<\/b><\/p>\n<\/td>\n<td width=\"207\">\n<p>File Deletion<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1070.004<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\" rowspan=\"2\">\n<p><b>Discovery<\/b><\/p>\n<\/td>\n<td width=\"207\" readability=\"5\">\n<p>Network Service Discovery<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1046<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\" readability=\"5\">\n<p>File and Directory Discovery<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1083<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\">\n<p><b>Execution<\/b><\/p>\n<\/td>\n<td width=\"207\" readability=\"5\">\n<p>Command and Scripting Interpreter: Unix Shell<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1059.004<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"207\">\n<p><b>Lateral Movement<\/b><\/p>\n<\/td>\n<td width=\"207\">\n<p>Lateral Tool Transfer<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1570<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\" rowspan=\"2\">\n<p><b>Command and Control<\/b><\/p>\n<\/td>\n<td width=\"207\" readability=\"5\">\n<p>Dynamic Resolution: Domain Generation Algorithms<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1568.002<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"207\">\n<p>Ingress Tool Transfer<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1105<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\">\n<p><b>Exfiltration<\/b><\/p>\n<\/td>\n<td width=\"207\" readability=\"5\">\n<p>Exfiltration over C&amp;C Channel<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1041<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\" rowspan=\"3\">\n<p><b>Impact<\/b><\/p>\n<\/td>\n<td width=\"207\" readability=\"5\">\n<p>Data Encrypted for Impact<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1486<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"207\" readability=\"5\">\n<p>Defacement: Internal Defacement<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1491.001<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"207\">\n<p>Service Stop<\/p>\n<\/td>\n<td width=\"207\">\n<p>T1489<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/g\/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9539,9509],"class_list":["post-56613","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-19T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/playlinux-cover-976:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma\",\"datePublished\":\"2024-07-19T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/\"},\"wordCount\":2317,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/playlinux-cover-976:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/\",\"name\":\"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/playlinux-cover-976:Large?qlt=80\",\"datePublished\":\"2024-07-19T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/playlinux-cover-976:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/playlinux-cover-976:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/","og_locale":"en_US","og_type":"article","og_title":"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-07-19T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/playlinux-cover-976:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma","datePublished":"2024-07-19T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/"},"wordCount":2317,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/playlinux-cover-976:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/","url":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/","name":"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/playlinux-cover-976:Large?qlt=80","datePublished":"2024-07-19T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/playlinux-cover-976:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/playlinux-cover-976:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/play-ransomware-groups-new-linux-variant-targets-esxi-shows-ties-with-prolific-puma\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56613","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56613"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56613\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56613"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56613"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56613"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}