EndPoint, formerly known as Midnight, is assessed as a Babuk-derived ransomware variant that targets Windows as well as ESXi and NAS environments and combines file encryption with data-theft extortion. The malware supports path and network-share scoped encryption, stops database/office/mail processes, deletes volume shadow copies with vssadmin, and forcibly stops backup or security services including Veeam, Sophos, and Acronis. It uses ChaCha20 for file encryption, protects session keys with custom RSA public-key operations, applies partial encryption based on file size, appends footer metadata, and uses the mutex Mutexisfunnylocal to prevent duplicate execution. AhnLab notes that a past ransom-note email, [email protected], impersonated an East Asia Institute director and was identified as used by a North Korea-linked actor after 2024.