Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

APT INC (SEXi) – Threat Actor

January 30, 2025
Reading Time: 4 mins read
in Ransomware Group, Threat Actors
APT INC (SEXi) – Threat Actor

APT INC 

Date of Initial Activity

2024

Other Names

SEXi

Location

Unknown

Suspected Attribution 

Ransomware Group

Motivation

Financial Gain

Software

Servers

Overview

APT Inc, formerly known as SEXi, is a sophisticated ransomware group targeting VMware ESXi servers. Their operations are characterized by highly targeted attacks on virtualized environments, leveraging vulnerabilities in hypervisor systems to encrypt critical data and demand exorbitant ransoms. Operating with precision, they compromise large-scale infrastructure in industries ranging from cloud services to healthcare, finance, and education, where ESXi is a key technology for server consolidation. Technically, APT Inc exploits known vulnerabilities in unpatched VMware ESXi environments, using initial access points such as weak passwords or compromised credentials to penetrate the system. Once inside, they escalate privileges and disable security controls, allowing them to gain full control over the hypervisor. From there, they target virtual machines (VMs), encrypting files such as virtual disks, storage volumes, and backup images. These files, vital to business operations, are rendered unusable, and the attackers demand Bitcoin payments for decryption.

Common Targets 

Information Chile

Attack vectors

Phishing

How they work

Initial Access and Exploitation
APT Inc typically gains access to VMware ESXi servers by exploiting known vulnerabilities, weak credentials, or unpatched software. In many cases, the group leverages outdated software versions that have not received security updates, taking advantage of misconfigurations and poor security hygiene. Phishing campaigns and brute-force attacks on login portals are common methods used to gain initial access. Once inside, the attackers escalate privileges to obtain full control over the hypervisor and all associated virtual machines (VMs). To solidify their foothold, APT Inc often disables security controls such as firewalls, intrusion detection systems (IDS), and antivirus solutions. This not only allows them to move laterally within the network but also prevents administrators from detecting their activities early in the attack. By the time the group deploys their ransomware, they have already thoroughly surveyed the system, identified critical assets, and compromised any backup systems in place.
Targeting Virtual Machines and Data Encryption
APT Inc’s primary focus is on encrypting the virtual machines hosted on compromised ESXi servers. They target files such as virtual disks, storage volumes, and backup images—essential components that contain an organization’s most valuable data. These files are locked down using military-grade encryption, rendering them inaccessible to the victim. Additionally, the ransomware appends file extensions like “.SEXi” or “.APT” to signal that the files have been encrypted. The group also leaves behind ransom notes, instructing victims to communicate via encrypted messaging apps such as Session to negotiate the payment. One of the more concerning aspects of APT Inc’s attacks is their ability to compromise both live data and backups. By specifically targeting backup systems and ensuring they are encrypted along with the primary data, the group effectively removes the victim’s ability to recover data without paying the ransom. This tactic increases the pressure on organizations to meet their ransom demands, which often run into the millions of dollars, payable in cryptocurrency like Bitcoin.
Persistence and Defense Evasion
APT Inc is highly effective at maintaining persistence in compromised environments. Once they gain access, they modify system configurations to ensure they remain hidden and difficult to dislodge. They often create new user accounts with administrator privileges and establish backdoors to allow for future access in case the initial compromise is discovered and partially remediated. Their use of encryption techniques and obfuscation tools also makes it challenging for forensic investigators to trace their actions or recover data. In terms of defense evasion, APT Inc employs a variety of techniques, including disabling security software, encrypting communications, and using legitimate administrative tools to blend in with normal network traffic. By avoiding the deployment of noisy malware, they reduce the likelihood of being detected by traditional security systems. Their attacks are calculated and deliberate, focusing on high-value targets and minimizing detection until it is too late.
Rebranding and Ongoing Operations
Despite their rebranding from SEXi to APT Inc in mid-2024, the group has continued its aggressive operations with minimal changes to their core tactics. The renaming seems to be more of an attempt to move away from the sensationalism of their previous moniker, rather than a shift in technical strategy. They remain focused on VMware ESXi servers and continue to target high-value industries with large-scale virtualized infrastructures. APT Inc’s technical sophistication and ability to compromise vital infrastructure with relative ease make them a serious threat. The group’s deep understanding of virtualization environments, combined with their ability to disable backups and encrypt vast amounts of data, sets them apart from less advanced ransomware operators. Their attacks can cause significant operational disruptions, and without proper defense mechanisms in place, many organizations find themselves with no choice but to pay the ransom or face catastrophic data loss.
Mitigation Strategies and Future Threats
Defending against APT Inc requires a multi-layered approach to security. Organizations using VMware ESXi environments must prioritize patching vulnerabilities, enforcing strong password policies, and disabling unnecessary administrative accounts. Regular backups should be stored offline to prevent them from being encrypted during an attack. Additionally, network monitoring and anomaly detection can help identify malicious activity early in the attack cycle, potentially stopping the attackers before they can encrypt critical data. As APT Inc continues to evolve its methods, businesses must remain vigilant and proactive in their cybersecurity efforts. The group’s technical capabilities suggest that they will continue to adapt to new defenses, and their focus on high-value targets means that their attacks will likely increase in sophistication. Preparing for these attacks by strengthening defenses and regularly testing incident response plans will be crucial for any organization that relies on virtualized infrastructure. In the face of growing ransomware threats, APT Inc stands out as a formidable actor whose technical expertise makes them one of the most dangerous players in the cybersecurity landscape today.  
References:
  • SEXi / APT Inc Ransomware – What You Need To Know
Tags: APT INCChilePhishingRansomwareSEXiThreat ActorsVmwareVulnerabilities
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial