APT / THREAT GROUP💰 FINANCIALHIGH

Payload

2
aliases
Last seen:May 23, 2026

Intelligence Profile

According to EG-FinCIRT, Payload is a cross-platform ransomware family with native compiled binaries for Windows and Linux/ESXi, exposing rich command-line options that let operators tune targeting, performance, and anti-forensic behavior. The Windows variant aggressively prepares the system by deleting recovery points, stopping key services and processes, wiping or bypassing logging mechanisms, and optionally hiding and self-deleting its executable while running encryption in the background. Its core uses an offline hybrid cryptosystem combining Curve25519 key exchange with optimized ChaCha20 (using CPU feature detection and multithreading, plus partial encryption for large files) and appends an obfuscated metadata footer needed for decryption. The Linux/ESXi variant is a small stripped ELF binary that parses virtual machine inventory data to locate and encrypt VM disk files, focusing on efficient disruption of virtualized workloads with fewer ancillary features than the Windows version.

Threat Analysis

Payload is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like Payload prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, Payload is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Intelligence Reports Mentioning Payload

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Aliases2

Also Known As

win.payloadPayload

External Intelligence

Malpedia: win.payload

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Payload — APT / Threat Group | Threat Intelligence | CTIWATCH.COM