Play | Threat Actor Profile

Play has been active since June 2022 and was among the top ransomware groups globally throughout 2024. As of May 2025, the FBI had confirmed approximately 900 compromised organizations across North America, South America, and Europe — tripling the 300 reported in October 2023. The group distinguishes itself through custom tooling (the Grixba information stealer and a proprietary VSS Copying Tool), per-attack binary recompilation that defeats signature detection, and a documented collaboration with North Korean APT group Jumpy Pisces — the first confirmed case of North Korea using third-party ransomware infrastructure to monetize espionage access.

attributed origin Russia / Eastern Europe (assessed — TTP overlap with Hive and Nokoyawa; Conti/Quantum infrastructure links; CIS country avoidance)

operational model Closed group / evolving RaaS — operators vet partners rather than running open affiliate recruitment; claims not to be a traditional RaaS

first observed June 2022

primary motivation Financial — double extortion; email-based negotiation; phone pressure calls

primary targets Healthcare, Manufacturing, Government, Financial Services, IT Services, Logistics

confirmed victims ~900 as of May 2025 (FBI); top group 2024; includes Rackspace, City of Oakland, Dallas County, Krispy Kreme, Microchip Technology

mitre att&ck group G1040

cisa advisory AA23-352A (December 2023; updated June 4, 2025)

threat level CRITICAL — sustained top-tier operator; nation-state crossover documented; evolving novel techniques

Overview

Play emerged in June 2022 and has operated consistently at or near the top of global ransomware activity rankings since 2023. Unlike many groups that emerged to fill gaps left by LockBit and ALPHV disruptions, Play predates those disruptions and has maintained independent operational momentum throughout. The group tripled its confirmed victim count between October 2023 and May 2025 — from 300 to 900 FBI-confirmed compromises — making it one of the most consistently active and technically sophisticated ransomware operations currently documented.

Play's operational structure is deliberately ambiguous. The group claims on its own leak site to operate as a closed entity that ensures confidentiality of transactions. The Canadian Centre for Cyber Security formally documented a shift to a RaaS model in November 2023, when industry researchers noted Play was being sold as a service — though Play's own DLS statement continued to deny affiliate operations. Play's operators vet partners rather than running open affiliate recruitment, creating a selective model that limits infiltration risk while still extending operational reach. Technical analysis shows TTP overlaps with Hive and Nokoyawa ransomware, and shared Cobalt Strike beacon watermark IDs with Quantum ransomware operations (themselves linked to the Conti ransomware ecosystem) — suggesting a shared operator cluster rather than independent parallel development.

The technical signature that defines Play operationally is per-attack binary recompilation: the ransomware payload is rebuilt for each individual attack, resulting in a unique hash every deployment. This directly defeats signature-based and hash-based detection, forcing defenders to rely on behavioral detection rather than static file analysis. Combined with the group's consistent use of custom tools — Grixba (an information stealer and network scanner built by Play operators) and a proprietary VSS Copying Tool — Play demonstrates sustained in-house development capability that sets it apart from groups relying primarily on publicly available or leaked tooling.

The North Korean connection is the most structurally significant development in Play's operational history. In late 2024, Palo Alto Unit 42 disclosed that Jumpy Pisces (also tracked as Andariel, part of North Korea's Reconnaissance General Bureau) had gained initial access to a target in May 2024 using a compromised account. Jumpy Pisces spent months conducting espionage — deploying DTrack infostealer, Sliver C2 framework, and a custom Mimikatz variant — before handing off access to Play operators, who then delivered ransomware. This was the first confirmed case of a North Korean APT group using third-party ransomware infrastructure, suggesting Jumpy Pisces operated as an initial access broker. Microsoft and Recorded Future warned that this nation-state/criminal nexus may become a broader pattern.

nation-state crossover — Jumpy Pisces / Andariel

The documented collaboration between North Korea's Jumpy Pisces (Andariel, RGB) and Play operators means that organizations targeted by North Korean espionage APTs may subsequently face Play ransomware deployment. If your organization is in a sector of North Korean intelligence interest — defense, aerospace, semiconductor manufacturing, financial services, research institutions — the presence of Jumpy Pisces TTPs (DTrack, Sliver, unusual Mimikatz variants) should be treated as a potential precursor to ransomware delivery, not just espionage. This is the first documented case of DPRK acting as an IAB for criminal ransomware operators.

Target Profile

Play targets a broad cross-section of critical infrastructure and private sector organizations across North America, South America, and Europe, with no narrow sector mandate. High-value data footprints and critical operational dependencies drive target selection.

Healthcare: Hospitals and healthcare networks appear throughout Play's victim history. The CISA/FBI advisory flags healthcare as a primary concern sector. Operational disruption in healthcare — forcing ambulance diversions or reverting to paper systems — creates acute payment pressure. The FBI notes only nine Play attacks through mid-2025 were primarily healthcare-focused, but the group's willingness to attack healthcare remains documented.
Manufacturing and Semiconductors: Microchip Technology (a major US semiconductor supplier) was compromised in 2024. Manufacturing organizations face production downtime that translates directly to revenue loss, creating payment urgency. IP theft from manufacturing targets — proprietary designs, production processes — carries additional dark web value.
Government and Municipal: The City of Oakland (California), City of Lowell (Massachusetts), Dallas County (Texas), the Belgian city of Antwerp, Argentina's judiciary, and Swiss federal government entities all confirmed as Play victims. Municipal governments hold extensive citizen PII and face public accountability pressure. Switzerland's government breach exposed approximately 1.3 million records.
IT Services and Cloud Infrastructure: Rackspace — a major managed cloud hosting provider — was one of Play's highest-profile early victims, with remediation costs exceeding $10 million. IT service providers carry access to downstream client environments, making them high-leverage targets similar to MSPs.
Logistics and Transportation: Dutch port and shipping operator Royal Dirkzwager was compromised, with data on ship movements and contracts stolen. Logistics disruption has supply chain cascades beyond the direct victim, amplifying pressure to pay and restore operations.
Retail and Food Service: Krispy Kreme (doughnut chain) and Arnold Clark (UK car retailer) demonstrate Play's reach across commercial retail sectors — reflecting opportunistic targeting wherever access is available rather than limiting operations to critical infrastructure.

Tactics, Techniques & Procedures

TTPs sourced from CISA/FBI/ASD's ACSC joint advisory AA23-352A (updated June 4, 2025), Halcyon incident response reporting (September 2025), Palo Alto Unit 42 Jumpy Pisces collaboration analysis, and AttackIQ emulation framework. Play's June 2025 advisory update added new IOCs, removed outdated ones, added Yara rules, and documented the SimpleHelp CVE exploitation chain first observed in January 2025.

mitre id	technique	description
T1190	Exploit Public-Facing Application	Play exploits known CVEs in internet-facing appliances for initial access. Documented CVEs include FortiOS SSL VPN (CVE-2018-13379, CVE-2020-12812), Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082), and SimpleHelp RMM (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728 — exploited from January 2025 onward, with CVE-2024-57727 added to CISA's KEV catalog in February 2025). OWASSRF (an alternative Exchange exploitation path) has also been documented in Play operations.
T1078	Valid Accounts	Compromised credentials obtained from dark web markets used for VPN and RDP access. In the Jumpy Pisces collaboration incident, the North Korean APT provided Play with a compromised account that had been used for months of prior espionage activity — demonstrating that Play's initial access sometimes originates from nation-state partners rather than direct exploitation.
T1059.001	PowerShell	PowerShell scripts used to disable Windows Defender and other security tools. Play has been observed deploying scheduled tasks to execute PowerShell across domain-joined systems, enabling mass defense evasion before encryption.
T1087	Account Discovery	AdFind and BloodHound used for Active Directory reconnaissance — mapping domain structure, user accounts, group memberships, and trust relationships. Grixba, Play's custom information stealer, enumerates network information and scans for antivirus software presence, feeding intelligence into the attack planning phase before lateral movement begins.
T1562.001	Impair Defenses: Disable Tools	GMER, IOBit, PowerTool, and Process Hacker used to disable and remove antivirus and security monitoring solutions. PowerShell scripts target Windows Defender specifically. From late 2024 / early 2025, Halcyon documented a novel and highly specific technique: Play operators download Acronis Disk Director 12 (from Acronis's own trial distribution URL — dl.acronis.com), execute the installer, then use Acronis's disk management scheduler to split a partition, move EDR and EPP software from ProgramData and ProgramFiles folders to the newly created partition, then delete that partition on reboot. After reboot, the security software appears still present in Windows but is fully non-functional — it is physically absent from its expected directory paths. This automated and hidden technique removes EDR/EPP without directly disabling or terminating any security process, bypassing tamper protection mechanisms entirely. Task files are generated by Acronis and stored in C:\ProgramData\Acronis\DiskDirector. Play's implementation is fully automated. Halcyon notes that other partition management utilities with similar split/delete functionality could be substituted for Acronis Disk Director.
T1021.001	Remote Services: RDP / Lateral Movement	PsExec and WMI used for lateral movement and remote execution across domain systems. Cobalt Strike beacons — marked with watermark ID 206546002, shared with Emotet and SVCReady botnet operations used in prior Quantum ransomware campaigns — deployed for C2 and lateral movement staging. SystemBC RAT used for persistence and encrypted C2 communication. Sliver C2 documented in the Jumpy Pisces collaboration incident. Plink and AnyDesk used for remote access maintenance.
T1003	OS Credential Dumping	Mimikatz used for LSASS credential extraction and domain administrator credential harvesting. PlusBrute — a custom Play credential brute-forcing tool — documented alongside Mimikatz for scenarios where credential dumping requires additional support. In the Jumpy Pisces collaboration, North Korean operators used a custom Mimikatz variant during the espionage phase before handing off to Play.
T1041	Exfiltration Over C2	Grixba (custom Play information stealer) and the proprietary VSS Copying Tool used for data collection and exfiltration. The VSS Copying Tool extracts files directly from Volume Shadow Copies used by other applications — enabling data collection from VSS-protected content even before shadow copies are deleted. Data staged for exfiltration before encryption, consistent with double extortion model.
T1486	Data Encrypted for Impact	AES-256 file encryption with RSA-4096 key protection. Intermittent encryption — encrypting only portions of files rather than the full content — improves encryption speed and evades some file-content-based detection methods. Per-attack binary recompilation: the ransomware binary is rebuilt for every individual attack, producing a unique hash each deployment for both Windows and ESXi variants. This directly defeats signature and hash-based detection. Files appended with .play extension. Ransom note instructing victims to contact Play via a unique email address (ending in @gmx.de or @web.de domains) rather than a Tor portal — an unusual choice that simplifies victim communication but reduces anonymization compared to Tor-based negotiation.
T1490	Inhibit System Recovery	AlphaVSS (open-source VSS management utility) deployed to manipulate and delete shadow copies. NAS devices subjected to factory resets after full data exfiltration — making recovery from NAS-hosted backups impossible without cloud backup copies. Local backup software explicitly encrypted. SonicWall firewall takeover (documented from September 2025 by Halcyon): Play operators gain full administrative control of SonicWall firewalls and reset credentials, making the devices unrecoverable without restoring from a configuration backup. Critically, Play then coordinates cutting internet access through the victim's ISP, routing only malicious traffic through the compromised firewall — isolating the victim environment so that remote security teams, incident responders, and cloud service vendors cannot intervene or provide assistance during the attack. This internet-isolation technique is an escalation beyond simple firewall credential reset and represents a deliberate attempt to strand the victim organization without outside help during the encryption phase.

Known Campaigns

Rackspace — Managed Cloud Hosting December 2022

Play attacked Rackspace's Hosted Exchange environment — exploiting the OWASSRF Exchange vulnerability — forcing the company to take its hosted Microsoft Exchange service offline. The outage affected thousands of Rackspace customers who relied on the hosted Exchange service for business email. Rackspace ultimately migrated affected customers to Microsoft 365 rather than restoring the compromised environment. Remediation costs exceeded $10 million eight months after the attack, making it one of the most financially damaging Play incidents by disclosed recovery cost. The incident established Play's willingness and capability to take down major cloud service providers.

City of Oakland, California February 2023

Play attacked the City of Oakland, disrupting city services and forcing the municipal government to declare a local state of emergency — one of the few ransomware attacks to trigger a formal emergency declaration in the United States. Sensitive city employee records, financial data, and resident information were exfiltrated and subsequently published when the city declined to pay the ransom. The attack affected police records, court systems, and city administrative functions. Oakland's declaration of emergency highlighted how ransomware attacks on municipal governments can constitute genuine public safety crises beyond IT disruption.

Dallas County, Texas 2023

Play attacked Dallas County, exposing records affecting hundreds of thousands of county residents. The breach included court records, property records, and county employee data. Dallas County is one of the largest counties in the United States by population, making the breach scope significant. Play published exfiltrated Dallas County data on its dark web site after the county declined engagement with the group's demands.

Swiss Federal Government Suppliers 2023

Play compromised IT service providers supplying the Swiss federal government, resulting in approximately 1.3 million records being exfiltrated and ultimately published. The breach demonstrated Play's reach into European government supply chains and its willingness to target government entities through upstream IT vendors — a supply chain approach that bypasses direct government network defenses.

Jumpy Pisces / North Korean APT Collaboration May–September 2024

Disclosed by Palo Alto Unit 42 in late 2024: North Korea's Jumpy Pisces (Andariel, RGB) gained initial access to an unidentified organization in May 2024 via a compromised account. Over the following months, Jumpy Pisces conducted espionage operations using DTrack infostealer, Sliver C2 framework, and a custom Mimikatz variant. In September 2024, Jumpy Pisces activity ceased and Play ransomware was deployed using the same compromised access — with both groups sharing credentials and network access during a brief overlap period. This is the first documented instance of a North Korean APT group serving as an initial access broker for criminal ransomware operators and using third-party ransomware infrastructure for financial operations. Microsoft and Recorded Future assessed this collaboration model may expand.

SonicWall Firewall Takeover, NAS Destruction, and Internet Isolation — Novel Techniques Late 2024 / 2025 (documented by Halcyon)

Halcyon documented Play operations using three novel recovery-destruction techniques across engagements from April 2025 onward. First: complete SonicWall firewall takeover — Play resets all credentials, making firewalls unrecoverable without configuration backup restoration. Second: factory resets of network-attached storage devices after full data exfiltration, destroying local backup copies. Third — and most operationally significant: Play coordinates with the victim's ISP to cut internet access entirely, routing only malicious traffic through the compromised firewall infrastructure. This internet-isolation technique strands the victim organization without access to remote incident response teams, cloud vendors, or external help during the encryption phase. Combined with the EDR/EPP removal via Acronis Disk Director partition splitting (documented separately), these techniques represent Play's most aggressive capability expansion since its 2022 founding — designed to maximize dwell time, maximize encryption scope, and eliminate any real-time defensive intervention.

Garner Foods (Texas Pete) — Food Manufacturing January 2026

Play posted Garner Foods — the North Carolina manufacturer behind the Texas Pete hot sauce brand — to its dark web leak site in early January 2026, warning of data publication unless demands were met. The incident confirms Play's continued activity into 2026 at an undiminished operational tempo, and its reach into mid-market food and consumer goods manufacturing — sectors that are typically underinvested in cybersecurity relative to the value of their operational and commercial data.

Tools & Malware

Play encryptor (Windows and ESXi/Linux variants): AES-256 file encryption with RSA-4096 key protection. Per-attack binary recompilation produces unique hash per deployment — defeating signature and hash-based detection. Intermittent encryption (partial file encryption) improves speed and evades content-scanning detection. Files appended with .play extension. Ransom notes direct victims to contact the group via unique email addresses (@gmx.de or @web.de domains) rather than Tor. The ESXi Linux variant was introduced in July 2024 (documented by Trend Micro). It verifies that it is running in a VMware ESXi environment before executing — if not in an ESXi environment, it does not run. Once confirmed, it powers off all running virtual machines, then encrypts VM disk, configuration, and metadata files. Trend Micro also found that the ESXi variant's hosting infrastructure overlaps with Prolific Puma, a threat actor group that operates an illicit URL-shortening and domain generation service for cybercriminals — suggesting Play uses Prolific Puma's infrastructure to host and distribute payloads. AlphaVSS deployed for VSS shadow copy manipulation and deletion on Windows systems.
Grixba (custom information stealer): A Play-developed custom tool combining information stealing and network scanning capabilities. Enumerates network information, scans for antivirus software presence, collects system information (machine GUID, Windows properties, current username, running processes, active services), and identifies high-value targets for exfiltration focus. Not publicly available — developed exclusively for Play operations.
VSS Copying Tool (custom): A Play-developed proprietary tool for extracting files from Volume Shadow Copies used by other applications — enabling collection from VSS-protected data before shadow copies are deleted. This custom capability is particularly effective against environments where critical data resides in VSS-protected states.
PlusBrute (custom): A Play-developed credential brute-forcing tool used alongside Mimikatz for credential access in environments where standard dumping techniques face additional controls.
Cobalt Strike: Post-compromise C2 and lateral movement staging. Play beacons carry watermark ID 206546002 — the same ID previously observed in Emotet and SVCReady botnet operations used in Quantum ransomware campaigns, providing a technical link to the Conti ransomware ecosystem's operator cluster.
SystemBC RAT: Used for persistence and encrypted C2 communication, consistent with patterns documented in other Eastern European ransomware operations.
AdFind / BloodHound: Active Directory reconnaissance tools for mapping domain structure, user accounts, group memberships, and trust relationships.
Coroxy backdoor: A backdoor documented in Play's ESXi variant attack chain by Trend Micro (July 2024). The IP address hosting the Play ESXi payload also contained Coroxy alongside PsExec, NetScan, WinSCP, and WinRAR — indicating Coroxy is part of Play's standard post-access toolkit in ESXi environments.
NetScan / WinSCP / WinRAR: Network scanning, file transfer, and archive utilities documented by Trend Micro as part of Play's ESXi attack chain. NetScan used for internal network enumeration; WinSCP for data transfer; WinRAR for archiving exfiltrated data before transfer.
Acronis Disk Director 12 (abused for EDR removal): A legitimate partition management tool downloaded directly from Acronis's own trial distribution URL and weaponized by Play to remove EDR and EPP software from disk without triggering tamper protection. Play schedules an Acronis disk task to split the volume, moves security software directories to the new partition, then deletes the partition on reboot — leaving the EDR/EPP non-functional but apparently still present to casual inspection. Task artifacts stored at C:\ProgramData\Acronis\DiskDirector. Play's implementation is fully automated and hidden from standard process monitoring.
GMER / IOBit / PowerTool / Process Hacker: Legitimate security and system administration tools repurposed for disabling and removing antivirus and EDR solutions — used alongside the Acronis Disk Director technique rather than as a replacement for it.
Mimikatz / PsExec / WMI: Standard credential dumping and remote execution tools used throughout the post-access phases. Sliver C2 documented in the Jumpy Pisces collaboration incident.
Plink / AnyDesk: Legitimate remote access utilities used for persistent operator access throughout dwell periods.

Indicators of Compromise

IOCs from CISA advisory AA23-352A (updated June 4, 2025), which includes updated hash tables, updated network indicators, removed outdated IOCs, and Yara rules for Play detection. The June 2025 update represents the current operative IOC set — use only this version, not the original December 2023 advisory.

per-attack recompilation limits hash-based IOC value

Play recompiles its ransomware binary for every individual attack, producing a unique file hash each deployment. File hashes in the CISA advisory are therefore of limited value for prospective detection — they document past samples rather than identify future ones. Behavioral IOCs and Yara rules targeting code patterns rather than specific hashes are significantly more durable detection mechanisms against Play. The CISA advisory includes Yara rules specifically for this reason.

indicators of compromise — Play (structural and behavioral)

file ext .play — appended to all encrypted files

ransom note ReadMe.txt — dropped in encrypted directories; no initial ransom demand; instructs victim to contact group via unique @gmx.de or @web.de email address

tool (custom) Grixba — Play-exclusive information stealer / network scanner; presence is a high-confidence Play attribution indicator

cobalt strike Watermark ID 206546002 — shared with Emotet/SVCReady/Quantum operations; Play-linked beacon if this ID appears in CS beacon config

behavior AdFind / BloodHound AD enumeration immediately post-access; Grixba network scan for AV software; combined with PowerTool or GMER execution — high-confidence pre-encryption indicator chain

vuln (exploited) CVE-2024-57726/57727/57728 (SimpleHelp RMM — path traversal / RCE); CVE-2022-41040/41082 (Exchange ProxyNotShell); CVE-2018-13379, CVE-2020-12812 (FortiOS SSL VPN)

behavior (2025) Acronis Disk Director 12 installation followed by partition split / delete operations — Play's specific EDR removal technique; artifacts at C:\ProgramData\Acronis\DiskDirector; SonicWall firewall credential reset activity; NAS factory reset commands post-exfiltration; ISP-coordinated internet access cutoff — alert on unexpected storage, firewall, or ISP routing changes

full iocs Current hash tables, network IOCs, and Yara rules: CISA advisory AA23-352A (June 4, 2025 update) — cisa.gov/news-events/cybersecurity-advisories/aa23-352a

Mitigation & Defense

Patch SimpleHelp immediately: CVE-2024-57727 (SimpleHelp path traversal, enables RCE) was added to CISA's Known Exploited Vulnerabilities catalog in February 2025 and is being actively exploited by Play-linked actors as of early 2025. Any organization running unpatched SimpleHelp in an internet-accessible configuration should treat remediation as a P0 action. SimpleHelp is widely used by MSPs and IT departments — the attack surface is broad.
Enforce phishing-resistant MFA on all VPN and Exchange access: Play has consistently exploited FortiOS and Exchange CVEs for initial access alongside purchased credentials. MFA on VPN portals and on Exchange/OWA (Outlook Web Access) prevents credential-based access even when credentials are compromised. FIDO2/passkeys are preferred; TOTP provides partial protection. Any VPN or webmail portal without MFA is a direct Play entry point.
Implement behavioral detection for Grixba: Grixba is a Play-exclusive tool — its presence is a near-certain Play attribution indicator. EDR behavioral rules detecting Grixba's network enumeration and AV scanning behavior provide high-confidence early detection during the pre-encryption reconnaissance phase, before Play operators have disabled security tooling.
Alert on AdFind and BloodHound execution: Both tools are used by Play (and many other ransomware groups) for Active Directory reconnaissance. AdFind and BloodHound execution on systems where they are not authorized software — particularly when combined with subsequent GMER or PowerTool execution — is a reliable pre-encryption indicator chain. Implement allowlisting for AD administration tools.
Deploy Yara rules from the CISA advisory: Because Play recompiles its binary per attack, file hash detection fails against Play. The June 2025 CISA advisory specifically includes Yara rules targeting code patterns that persist across recompilations. Deploy these rules in your SIEM and EDR as the primary file-level detection mechanism rather than relying on hash-based signatures.
Protect recovery infrastructure explicitly — and harden against internet isolation: Play's documented techniques include SonicWall firewall credential resets, NAS factory resets, and ISP-coordinated internet access cutoff — not just VSS deletion. Firewall management credentials must use MFA and be stored in PAM solutions inaccessible from production network credentials. NAS administrative access should require separate credentials unreachable from domain accounts. Cloud backup copies must be maintained on infrastructure not accessible from the production domain. Critically: establish an out-of-band communication path (separate cellular connectivity, secondary internet provider, or pre-arranged contact with your ISP security team) so that internet isolation during an incident does not also isolate your incident response capability. Organizations that rely solely on their primary internet connection for incident response communication are vulnerable to complete operational blindness if Play executes its ISP-coordination technique.
Monitor for Acronis Disk Director installation on endpoints: Play's documented EDR/EPP removal technique uses Acronis Disk Director 12 (a legitimate partition management tool) to split a disk volume, move security software directories to the new partition, and then delete the partition on reboot — physically removing EDR and EPP from their expected paths without triggering tamper protection. Alert on any installation of Acronis Disk Director — or any disk partition manager — on production servers and endpoints where it is not explicitly authorized software. Flag the artifact path C:\ProgramData\Acronis\DiskDirector appearing on systems that do not run approved Acronis products. The technique is fully automated and hidden during normal process monitoring, making installation detection the primary defensive opportunity.
Monitor for nation-state APT precursors: The Jumpy Pisces collaboration demonstrates that Play access may be delivered by a North Korean APT following a period of espionage activity. If your organization is in a sector of North Korean collection interest (defense, semiconductors, aerospace, financial services), treat the presence of DTrack, Sliver C2, or unusual Mimikatz variants as potential precursors to ransomware delivery — not just espionage events to be contained and remediated. Notify law enforcement and engage incident response when nation-state APT activity is detected; the handoff to ransomware operators may follow.
Segment ESXi from production domain credentials: Play's Linux ESXi variant targets VMware environments. ESXi management credentials must not be reachable from standard Windows domain accounts. ESXi hosts should require separate administrative credentials stored in isolated PAM, with MFA for console access.

Sources & Further Reading

— end of profile — last updated 2026-03-26