{
	"id": "bc551b2c-acb1-48e0-af56-dd47fe2eb86c",
	"created_at": "2026-04-06T02:13:05.407177Z",
	"updated_at": "2026-04-10T13:12:36.539441Z",
	"deleted_at": null,
	"sha1_hash": "1748b3d293ed433ec2b5c7e0bab99c1a313cb0ba",
	"title": "New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1602541,
	"plain_text": "New Play Ransomware Linux Variant Targets ESXi Shows Ties\r\nWith Prolific Puma\r\nBy Cj Arsley Mateo, Darrel Tristan Virtusio, Sarah Pearl Camiling, Andrei Alimboyao, Nathaniel Morales, Jacob\r\nSantos, Earl John Bareng ( words)\r\nPublished: 2024-07-19 · Archived: 2026-04-06 01:50:35 UTC\r\nRansomware\r\nTrend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant\r\nthat targets ESXi environments. Read our blog entry to know more.\r\nBy: Cj Arsley Mateo, Darrel Tristan Virtusio, Sarah Pearl Camiling, Andrei Alimboyao, Nathaniel Morales, Jacob\r\nSantos, Earl John Bareng Jul 19, 2024 Read time: 8 min (2104 words)\r\nSave to Folio\r\nSummary:\r\nThe Playnews article ransomware group, known for its double-extortion tactic, now has a Linux variant\r\ntargeting ESXi environments.\r\nMost attacks this year have been concentrated in the US.\r\nThis ransomware verifies if it is running on an ESXi environment before executing. It has successfully\r\nevaded security measures, as indicated by VirusTotal.\r\nThe Play ransomware group appears to be using the services and infrastructure peddled by the Prolific\r\nPuma group.\r\n \r\nOur Threat Hunting team uncovered a Linux variant of the Play ransomware that only encrypts files when running\r\nin a VMWare ESXi environment. First detected in June 2022, the Play ransomware group became notable for its\r\ndouble-extortion tactic, evasion techniques, custom-built tools, and substantial impact on various organizations in\r\nLatin America.\r\nThis is the first time that we’ve observed Play ransomware targeting ESXi environments. This development\r\nsuggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim\r\npool and more successful ransom negotiations.\r\nVMWare ESXi environments are commonly used by businesses to run multiple virtual machines (VMs). They\r\noften host critical applications and data, and normally include integrated backup solutions. Compromising them\r\ncan significantly disrupt business operations and even encrypt backups, which further reduces the victim’s\r\ncapability to recover data.\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 1 of 16\n\nFigure 1. Based on ransomware.live, the US is the top country with the most victim counts by the\r\nPlay ransomware group from January to July 2024\r\nFigure 2. Manufacturing and professional services are the top industries affected by the Play\r\nransomware group from January to July 2024\r\nThe submitted sample in VirusTotal indicates that it has managed to evade security detections. In our analysis, we\r\nfound that the Linux variant is compressed in a RAR file with its Windows variant and is hosted in the URL,\r\nhxxp://108.[BLOCKED].190/FX300.rar.\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 2 of 16\n\nFigure 3. The Linux variant of Play ransomware showed 0 detections in VirusTotal.\r\nThis IP address contains tools that were used by Play ransomware in their previous attacks — including PsExec,\r\nNetScan, WinSCP, WinRAR, and the Coroxy backdoor.  \r\nFigure 4. The infection chain of the Linux variant of Play ransomware includes the use of several\r\ntools.\r\nFigure 4 shows the infection chain of this ransomware variant. Though no actual infection has been observed, the\r\ncommand-and-control (C\u0026C) server hosts the common tools that Play ransomware currently uses in its attacks.\r\nThis could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs).\r\nInfection Routine of the Linux Variant of Play Ransomware\r\nLike its Windows variant, the sample accepts command-line arguments, but their behaviors are still unknown.\r\nPlay Ransomware\r\nWindows Variant\r\nDescription\r\nPlay Ransomware\r\nLinux Variant\r\nDescription\r\n-mc\r\nExecute normal functionality;\r\nsame as no command-line\r\nargument\r\n-p N/A\r\n-d \u003cdrive path\u003e  Encrypt a specific drive -f N/A\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 3 of 16\n\n-ip \u003cshared resource path\u003e\r\n\u003cusername\u003e \u003cpassword\u003e\r\nEncrypt network shared resource -s N/A\r\n-p \u003cpath\u003e Encrypt a specific folder/file -e N/A\r\nTable 1. The command-line arguments of the Windows and Linux variants of Play ransomware include commands\r\nfor encrypting drives, files, and network shared resources.\r\nThe sample runs ESXi-related commands to check that it is running in an ESXi environment before performing its\r\nmalicious routines. Otherwise, it will terminate and delete itself. \r\nFigure 5. Error logs indicate that the vim-cmd and esxcli commands are missing. These commands\r\nare specific to the ESXi environment.\r\nWe also found a series of shell script commands that the sample executes once it is running in an ESXi\r\nenvironment. The command below is responsible for scanning and powering off all VMs found in the\r\nenvironment:\r\n/bin/sh -c “for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk '{print $1}'); do vim-cmd\r\nvmsvc/power.off $vmid; done\"\r\nFigure 6: Once the ransomware runs successfully, it turns off any running VMs using the command,\r\nesxcli.\r\nThis command is responsible for setting a custom welcome message on the ESXi host:\r\n/bin/sh -c “esxcli system welcomemsg set -m=\\\"  \r\nOnce the ransomware executes the series of ESXi-related commands, it proceeds to encrypt VM files, including\r\nVM disk, configuration, and metadata files. The VM disk file, for example, contains critical data, including\r\napplications and user data.\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 4 of 16\n\nFigure 7. List of extensions to be encrypted\r\nAfter completing the process, most of the encrypted files inside the guest OS “ubuntu” (as an example) are\r\nappended with the extension “.PLAY”.\r\nFigure 8. Most of the VM files encrypted by the ransomware will have the .PLAY extension.\r\nIt will also drop a ransom note in the root directory, which is also displayed in the login portal of the ESXi client.\r\nFigure 9. The ransom note named PLAY_Readme.txt contains links to the Tor network.\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 5 of 16\n\nFigure 10. The login portal of the affected ESXi server also displays the ransom note.\r\nFigure 11. Once the ESXi system is rebooted, the ransom note will also appear in the console.\r\nExploring the Connection Between Prolific Puma and Play Ransomware\r\nMonitoring the external activities of the suspicious IP address, we saw that the URL used to host the ransomware\r\npayload and its tools is related to another threat actor, which is named Prolific Puma.   \r\nProlific Puma is known to generate domain names using a random destination generator algorithm (RDGA) and\r\nutilizes them to offer a link-shortening service to fellow cybercriminals, who then use it to avoid detection while\r\ndisseminating phishing schemes, scams, and malware. \r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 6 of 16\n\nFigure 12. The VirusTotal result of the URL mentions Prolific Puma.\r\nSUBJECT \r\nSUBJECT-TYPE \r\nINDICATOR    DETECTION DESCRIPTION\r\n108]\r\n[.]61[.]142[.]190 \r\nIP address \r\nhxxp://108\r\n[.]61[.]142[.]190/\r\nFX300.rar \r\n95 -\r\nRansomware \r\nHosting URL for Play\r\nRansomware binary  \r\n108\r\n[.]61[.]142[.]190 \r\nIP address \r\nhxxp://108\r\n[.]61[.]142[.]190/\r\n1.dll.sa \r\n79 -Disease\r\nVector \r\nHosting URL for\r\nCoroxy backdoor \r\n108\r\n[.]61[.]142[.]190 \r\nIP address \r\nhxxp://108\r\n[.]61[.]142[.]190/\r\n64.zip \r\n79 – Disease\r\nVector\r\nHosting URL for\r\nNetScan \r\n108\r\n[.]61[.]142[.]190 \r\nIP address \r\nhxxp://108\r\n[.]61[.]142[.]190/\r\nwinrar-x64-611.exe \r\nUntested \r\nHosting URL for\r\nWinRAR \r\n108\r\n[.]61[.]142[.]190 \r\nIP address \r\nhxxp://108\r\n[.]61[.]142[.]190/\r\nPsExec.exe \r\nUntested \r\nHosting URL for\r\nPsExec \r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 7 of 16\n\n108\r\n[.]61[.]142[.]190 \r\nIP address \r\nhxxp://108\r\n[.]61[.]142[.]190/\r\nhost1.sa \r\n78 - Malware\r\nAccomplice \r\nHosting URL for\r\nCoroxy backdoor \r\nTable 2. The different tools of Play ransomware resolve to several IP addresses.\r\nSUBJECT \r\nSUBJECT-TYPE INDICATOR\r\n  \r\nINDICATOR-TYPE \r\nREGISTRAR  \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  ztqs[.]info  Domain (RDGA)  Porkbun, LLC \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  zfrb[.]info  Domain (RDGA)  Porkbun, LLC \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  xzdw[.]info  Domain (RDGA)  Porkbun, LLC \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  iing[.]info  Domain (RDGA)  Porkbun, LLC \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  mcmb[.]info  Domain (RDGA) \r\nNameCheap,\r\nInc \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  lcmr[.]info  Domain (RDGA) \r\nNameCheap,\r\nInc \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  thfq[.]info  Domain (RDGA) \r\nNameCheap,\r\nInc \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  hibh[.]info  Domain (RDGA) \r\nNameCheap,\r\nInc \r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 8 of 16\n\n108\r\n[.]61[.]142[.]190 \r\nIP address  iwqe[.]info  Domain (RDGA) \r\nNameCheap,\r\nInc \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  ukwc[.]info  Domain (RDGA) \r\nNameCheap,\r\nInc \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  apkh[.]info  Domain (RDGA) \r\nNameCheap,\r\nInc \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  vqbl[.]info  Domain (RDGA)  NameSilo, LLC \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  vgkb[.]info  Domain (RDGA)  NameSilo, LLC \r\n108\r\n[.]61[.]142[.]190 \r\nIP address  znuc[.]info  Domain (RDGA)  NameSilo, LLC \r\nTable 3. The IP addresses hosting the Play ransomware resolves to different domains.\r\nFigure 13. Prolific Puma uses numerous registered domains.\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 9 of 16\n\nFigure 14. A shortened link created by Prolific Puma correlates with the observed IP address\r\nassociated with Play ransomware\r\nTables 2 and 3 display the domains, particularly DGAs, that resolve to the IP address alongside the Play\r\nransomware toolkit. These domains are registered under different registrar names. Our research indicates that\r\nProlific Puma typically uses three to four random characters on their registered domain. The sample registered\r\ndomains by Prolific Puma in the tables match the domains that resolve to the IP address associated with Play\r\nransomware.\r\nAdditionally, the message showed when accessing one of the domains matches the one mentioned by other\r\nsecurity researchersopen on a new tab.\r\nFigure 15. Accessing different domains shows the same message about link-shortening services.\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 10 of 16\n\nTo further verify the connection between the two groups, the team also tested the Coroxy backdoor hosted in the\r\nsame IP address. Black-box analysis shows that the Coroxy backdoor was observed connecting to\r\n45[.]76[.]165[.]129. This IP address also resolves to various domains associated with Prolific Puma.\r\nFigure 16. The Coroxy backdoor used by Play ransomware has been detected establishing a\r\nconnection to the specified IP address.\r\nSUBJECT SUBJECT-TYPE INDICATOR   INDICATOR-TYPE REGISTRAR\r\n45[.]76[.]165[.]129  IP address  jhrd[.]me Domain (RDGA)  NameSilo, LLC\r\n45 [.]76[.]165[.] 129  IP address  pkil[.]me Domain (RDGA)  NameSilo, LLC\r\n45 [.]76[.]165[.] 129  IP address  kwfw[.]me Domain (RDGA)  NameSilo, LLC\r\n45 [.]76[.]165[.] 129  IP address  whry[.]me Domain (RDGA)  NameSilo, LLC\r\n45 [.]76[.]165[.] 129  IP address  pxkt[.]me Domain (RDGA)  NameSilo, LLC\r\n45 [.]76[.]165[.] 129  IP address  ylvq[.]me Domain (RDGA)  NameSilo, LLC\r\n45 [.]76[.]165[.]129  IP address  flbe[.]link Domain (RDGA)  NameSilo, LLC\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 11 of 16\n\n45 [.]76[.]165[.]129  IP address  mmhp[.]link Domain (RDGA)  NameSilo, LLC\r\n45 [.]76[.]165[.] 129  IP address  gunq[.]link Domain (RDGA)  NameSilo, LLC\r\n45 [.]76[.]165[.] 129  IP address  ojry[.]link Domain (RDGA)  NameSilo, LLC\r\n45 [.]76[.]165[.] 129  IP address  bltr[.]me Domain (RDGA)  NameSilo, LLC\r\nTable 4. Different domains resolve to the IP address of the Coroxy backdoor connection.\r\nThe IP address that the Coroxy backdoor connects to also resolves to different domains that matches the registered\r\ndomains of Prolific Puma. By further examining the IP address, “vultrusercontent.com” is appended and matches\r\nthe original IP, as shown in Figure 17.\r\nFigure 17. A Shodan query of the IP address hosting Play ransomware reveals some details on its\r\nassociated infrastructure.\r\nComparison of the IP address that hosted Play ransomware and its tools with another IP address related to Prolific\r\nPuma shows that both IP addresses have the same autonomous system number (ASN). This means that they\r\nbelong in the same network and are being managed by the same network provider.\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 12 of 16\n\nFigure 18. The IP address hosting the ransomware (left) and the IP address related to Prolific Puma\r\nfrom (right) have similarities.\r\nProlific Puma is discerning in its client selection process, preferring to engage with individuals or groups deemed\r\ndeserving of its services. Given the established reputation of the threat actors behind Play ransomware, they might\r\nbe considered a suitable candidate to access Prolific Puma’s offerings. These findings suggest a potential\r\ncollaboration between these cybercriminal entities. The Play ransomware group, too, might be seeking to enhance\r\nits capabilities in circumventing defensive security protocols through Prolific Puma’s services.\r\nMitigating ransomware attacks on ESXi environments\r\nESXi environments are high-value targets for ransomware attacks due to their critical role in business operations.\r\nThe efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their\r\nlucrativeness for cybercriminals. To mitigate risks and exposure to these attacks, organizations should implement\r\nseveral best practices:\r\nRegular patching and updates: Keep the ESXi environment and associated management software up to date\r\nto protect against known vulnerabilities.\r\nVirtual patching: Many organizations may not patch or update their ESXi environments as frequently as\r\nthey should due to complexity, downtime concerns, resource constraints, operational priorities, or\r\ncompatibility issues. Virtual patching helps by applying security measures at the network level to protect\r\nvulnerable systems, mitigating risks without needing to alter the underlying software immediately.\r\nAddressing inherent misconfigurations: Regularly audit and correct misconfigurations within ESXi\r\nenvironments, as these can create vulnerabilities that ransomware can exploit. Implementing strong\r\nconfiguration management practices can help ensure that settings adhere to security best practices and\r\nreduce the risk of exploitation.\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 13 of 16\n\nStrong access controls: Implement robust authentication and authorization mechanisms, such as multifactor\r\nauthentication (MFA), and restrict administrative access.\r\nNetwork segmentation: Segregate critical systems and networks to limit the spread of ransomware.\r\nMinimized attack surface: Disable unnecessary and unused services and protocols, restrict access to critical\r\nmanagement interfaces, and implement strict firewall rules to limit network exposure. VMWare provides\r\nvarious guidelines and best practicesopen on a new tab on how to secure ESXi environments.\r\nRegular offline backups: Maintain frequent and secure backups of all critical data. Ensure that backups are\r\nstored offline and tested regularly to verify their integrity.\r\nSecurity monitoring and incident response: Deploy solutions and develop an incident response plan to\r\npromptly and proactively address suspicious activities.  \r\nTrend Micro Vision One Hunting Query\r\nThe following text lists potentially useful queries for threat hunting within Vision One:\r\nmalName:*Linux.PLAYDE* AND eventName:MALWARE_DETECTION\r\nIndicators of Compromise (IoC)\r\nIOC Detection Description\r\n2a5e003764180eb3531443946d2f3c80ffcb2c30 Ransom.Linux.PLAYDE.YXEE3T ELF Binary\r\nhxxp://108.61.142[.]190/FX300.rar 95 - Ransomware\r\nHosting URL for\r\nPlay Ransomware\r\nBinary\r\n108.61.142[.]190 Untested\r\nObserved IP\r\naddress\r\nhxxp://108.61.142[.]190/1.dll.sa 79 - Disease Vector\r\nHosting URL for\r\nCoroxy Backdoor\r\nhxxp://108.61.142[.]190/64.zip 79 - Disease Vector\r\nHosting URL for\r\nNetScan\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 14 of 16\n\nhxxp://108.61.142[.]190/winrar-x64-611.exe Untested\r\nHosting URL for\r\nWinRAR\r\nhxxp://108.61.142[.]190/PsExec.exe Untested\r\nHosting URL for\r\nPsExec\r\nhxxp://108.61.142[.]190/host1.sa 78 - Malware Accomplice\r\nHosting URL for\r\nCoroxy Backdoor\r\nMITRE ATT\u0026CK Tactics and Techniques:\r\nTactic Tactic ID\r\nDefense Evasion File Deletion T1070.004\r\nDiscovery\r\nNetwork Service Discovery T1046\r\nFile and Directory Discovery T1083\r\nExecution Command and Scripting Interpreter: Unix Shell T1059.004\r\nLateral Movement Lateral Tool Transfer T1570\r\nCommand and Control\r\nDynamic Resolution: Domain Generation Algorithms T1568.002\r\nIngress Tool Transfer T1105\r\nExfiltration Exfiltration over C\u0026C Channel T1041\r\nImpact Data Encrypted for Impact T1486\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 15 of 16\n\nDefacement: Internal Defacement T1491.001\r\nService Stop T1489\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nhttps://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html"
	],
	"report_names": [
		"new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html"
	],
	"threat_actors": [
		{
			"id": "81e941dc-9efc-44a5-b408-a570dd39d4e2",
			"created_at": "2023-11-14T02:00:07.098028Z",
			"updated_at": "2026-04-10T02:00:03.451316Z",
			"deleted_at": null,
			"main_name": "Prolific Puma",
			"aliases": [],
			"source_name": "MISPGALAXY:Prolific Puma",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775441585,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1748b3d293ed433ec2b5c7e0bab99c1a313cb0ba.pdf",
		"text": "https://archive.orkl.eu/1748b3d293ed433ec2b5c7e0bab99c1a313cb0ba.txt",
		"img": "https://archive.orkl.eu/1748b3d293ed433ec2b5c7e0bab99c1a313cb0ba.jpg"
	}
}