Payload ransomware posted three new victims on its Tor leak site in a single batch spanning the Caribbean, Southeast Asia, and Southeast Asia: Plaza Lama, a major retail chain in the Dominican Republic; Hansoll Textile, a Vietnamese knit apparel manufacturer supplying major international fashion brands; and Villea Hotels, part of the AttanaHotels group, described as a premier Malaysian hospitality company. The batch crosses three countries and two continents in a targeting pattern consistent with the group’s geography-agnostic approach to victim selection.
Payload’s Three Victims: A Retailer, a Textile Manufacturer, and a Luxury Hotel Group
Payload emerged in February 2026, launching its Tor leak site on the same day its Windows binary was compiled — and debuting with 12 initial victims across seven countries. That launch pattern established the group’s defining characteristic: volume-first, geography-diverse operations that do not concentrate on any particular sector or region. The latest batch reflects the same model, pairing a Dominican Republic retail chain with a Vietnamese manufacturing operation and a Malaysian luxury hospitality group in a combination that has no obvious thematic connection beyond Payload’s interest in maximizing the total volume of exfiltrated data across its victim portfolio.
The group operates as a cross-platform ransomware, targeting both Windows and ESXi (VMware) environments with custom encryption that renames affected files with a .payload extension. Payload’s deployment process kills backup and security tools, deletes shadow copies, and optionally wipes Windows event logs before completing encryption — the standard operational steps designed to prevent recovery and eliminate forensic artifacts. Across its full victim portfolio, Payload has claimed 2,603 GB of stolen data.
Plaza Lama and Villea Hotels: Payment Card and Guest Data in the Caribbean and Malaysia
Plaza Lama operates as a large Dominican Republic retail chain offering a broad product range. A compromise of a major Caribbean retail chain exposes the standard categories of high-value consumer data: customer payment card data, point-of-sale transaction records, loyalty program member personally identifiable information, and supplier contract documentation. The Dominican Republic’s breach notification regulatory environment is less developed than US or EU frameworks, creating the possibility that affected consumers receive weaker protections and more limited notification rights than they would under GDPR or US state breach notification laws.
Villea Hotels, as part of the AttanaHotels hospitality group, manages a category of data that makes hotel companies disproportionately valuable targets for ransom operations: passport and national ID copies collected at check-in, credit card data, complete guest stay histories, corporate travel account records, and VIP guest profiles. The last category — high-net-worth or executive guests whose travel patterns, payment information, and contact details are all captured in a hotel’s property management system — represents intelligence value that extends beyond the financial data alone. A hotel group’s data environment covers both the mass-market breadth of consumer payment information and the targeted value of executive-level personal information.
Hansoll Textile’s Client Secrets: Design Specs and Order Books for Major Fashion Brands
Hansoll Textile, described as a globally significant knit apparel manufacturer whose clients include major international fashion brands, holds a category of commercially sensitive data that makes it a high-value target for a ransomware group operating a double-extortion model. Client manufacturing orders, design specifications for unreleased products, pricing agreements, and supply chain documentation represent the competitive intelligence of multiple Western fashion companies condensed into a single supplier’s file systems.
The double-extortion model extends Payload’s threat beyond the straightforward ransom demand: a threat to publish or sell Hansoll’s client data to competitors constitutes a form of triple extortion directed not just at the textile manufacturer but at the international brands whose proprietary design and pricing information would be exposed. Vietnam’s growing role in global supply chains has made Vietnamese manufacturers an increasingly attractive target for ransomware operators who recognize that supply chain entry points concentrate the intellectual property of multiple downstream clients.
Payload’s Cross-Platform Attack Model: Windows, ESXi, and 2,603 GB Claimed to Date
Payload’s technical architecture targets the two environments most critical to enterprise operations: Windows workstations and servers, and VMware ESXi hypervisors hosting virtual machine infrastructure. Compromising the ESXi layer allows the ransomware to encrypt virtual machines in bulk rather than targeting individual endpoints, accelerating the operational impact of an attack. The combination of Windows and ESXi targeting, custom encryption, shadow copy deletion, and EDR-killing places Payload’s capabilities in the same operational tier as established ransomware-as-a-service groups, despite launching only months ago.
The 2,603 GB total claimed across Payload’s victim portfolio, accumulated since its February 2026 debut, positions the group among the more active new entrants in the ransomware ecosystem. Its sector-agnostic, geographically distributed targeting model — a retail chain, a textile supplier, and a luxury hotel group in a single posting — is designed to maximize the aggregate volume of extortable data rather than optimizing for any single sector’s average ransom capacity.
