Esxi

On November 13, 2025, reporting highlighted that the cross-platform Kraken ransomware profiles victim machines first, benchmarking disk/CPU to choose between full or partial encryption and tune threads to avoid tripping resource alarms BleepingComputer. Cisco Talos’ deep dive confirms host-side performance tests via a temporary file and command-line switches, plus distinct encryptors for Windows and Linux/VMware ESXi that append “.zpsc” and drop “readme_you_ws_hacked.txt” Talos. Talos also notes ties to the older HelloKitty operation and a Kraken-hosted forum announcement (“The Last Haven Board”), a link also observed by independent analysis of Kraken’s leak site Talos Cyjax.

Check Point’s October 27, 2025 weekly report flags two things we should treat as priority hunts: a fresh LockBit 5.0 build with cross-platform encryptors and faster runtime, and active abuse of Magento’s SessionReaper (CVE-2025-54236) to hijack sessions and drop PHP webshells via the REST API. Their write-up aligns with Trend Micro’s technical analysis of the LockBit 5.0 binaries and Adobe/Sansec guidance on SessionReaper exploitation in the wild. (Check Point report; Check Point blog on the comeback; Trend Micro analysis; Adobe APSB25-88; Sansec). (research.checkpoint.com)