Payload — Technical Analysis (ESXI)

This reverse-engineered report analyzes an ESXi-targeting ransomware binary (“Payload”) that parses /etc/vmware/hostd/vmInventory.xml to locate VM datastores, selectively encrypts files larger than 5 GB using per-file X25519-derived stream keys (Salsa20/ChaCha20), appends RC4-protected metadata and a ".xx0001" extension, deploys a ransom note to the ESXi web UI, and includes IOCs (SHA-256/MD5, Onion sites, file paths) and MITRE ATT&CK mappings.