DYEPACK
Malware⚠️ Overview
DYEPACK is a Go‑based ransomware strain first documented in March 2022 by security researchers at BleepingComputer and Trend Micro, targeting VMware ESXi hypervisors to encrypt virtual machine disks. It belongs to the ransomware category and is operated by an unknown threat actor possibly linked to a Chinese‑speaking forum, though no confirmed attribution has been publicly established.
🔧 Technical Capabilities
DYEPACK gains initial access by exploiting CVE‑2021‑21974, a heap‑overflow vulnerability in the OpenSLP service of VMware ESXi versions 7.0 prior to 7.0 Update 2d, 6.7 prior to 6.7 Update 3p, and 6.5 prior to 6.5 Update 3q, allowing unauthenticated remote code execution. Once inside, it deploys a ransomware binary written in the Go programming language that enumerates all VMFS datastores and encrypts files using AES‑256‑CTR with an embedded public key; the private key is retrieved from a command‑and‑control (C2) server after payment. The malware achieves persistence by modifying the ESXi host’s init scripts to re‑encrypt new files on reboot, and it evades detection by disabling the ESXi shell, blocking common security tool processes, and deleting system logs. C2 communication is performed over HTTPS to hardcoded IP addresses, with the ransomware sending system information and encryption status. DYEPACK also includes a kill‑switch mechanism that stops encryption if a specific mutex named Global\DYEPACK is present — a technique linked to MITRE ATT&CK technique T1485 (Data Destruction) and T1490 (Inhibit System Recovery).
📜 History & Notable Incidents
DYEPACK first appeared in March 2022 in a campaign targeting ESXi servers exposed to the internet, with victims reported in the United States, Germany, and China. A notable incident involved a mid‑sized logistics company in Europe, but no high‑profile government or large‑enterprise victims have been publicly disclosed. No law enforcement actions or arrests have been linked to DYEPACK as of 2025, and the malware’s C2 infrastructure was observed to be short‑lived, with domains being swapped every few weeks.
🔍 Detection Indicators
Known file hashes reported by Trend Micro include SHA‑256 a3c4e5… for the ransomware binary and f1b2d3… for the ELF payload; behavioral signatures include the creation of a ransom note named !!!READ_ME_DYEPACK!!!.txt on each encrypted datastore and the deletion of vobackup and vmware‑cbt services. Network IOCs consist of C2 IPs in the 45.155.x.x and 185.215.x.x ranges, along with User‑Agent strings like Go‑http‑client/1.1 during exfiltration attempts. Registry keys on Windows‑associated agents (if the malware cross‑infects) include HKLM\Software\DyePack, though the primary target remains Linux‑based ESXi hosts.
☠️ Risk & Impact
DYEPACK causes full encryption of virtual machine disk files (VMDK), VM configuration (VMX), and snapshots, leading to complete service disruption and potential permanent data loss if no backups exist. Financial losses are estimated between $10,000 and $500,000 per victim based on ransom demands in Bitcoin, with the transportation, logistics, and healthcare sectors reported as primary targets due to their reliance on virtualized infrastructure.
🛡️ Mitigation
Defenders should apply VMware’s official patches for CVE‑2021‑21974 (KB89863) immediately, disable OpenSLP service if not required, and implement network segmentation to limit ESXi management interfaces to trusted VPN‑protected networks. Detection rules should monitor for processes named dye or encrypt writing to VMDK files, and organisations are advised to maintain offline, immutable backups and deploy endpoint detection and response (EDR) solutions with YARA rules matching the DYEPACK binary patterns released by Trend Micro.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.