Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Possibly From China Using New Method to Deploy Persistent ESXi Backdoors

Hackers possibly from China have been using a new technique to install persistent backdoors in VMware ESXi hypervisors, giving them significant capabilities while making detection more difficult.

Hackers possibly from China have been using a new technique to install persistent backdoors in VMware ESXi hypervisors, giving them significant capabilities while making detection more difficult.

The new technique, spotted by Mandiant in April, involves using malicious vSphere Installation Bundles (VIBs). A VIB is a collection of files packaged into a single archive to facilitate distribution — they are similar to a tarball or ZIP archive.

VIB packages can be used to create startup tasks, custom firewall rules, or to deploy custom binaries when an ESXi machine is rebooted. Administrators typically use these packages to maintain systems and deploy updates, but it appears that malicious actors have found a way to abuse them.

The attackers observed by Mandiant have used malicious VIBs to install two backdoors on ESXi hypervisors. These pieces of malware, named VirtualPita and VirtualPie by Mandiant, allow arbitrary command execution, file transfers, and the ability to initiate reverse shells.

According to Mandiant, this new ‘malware ecosystem’ affects VMware ESXi, Linux vCenter servers, and Windows virtual machines (VMs). The Windows malware is tracked as VirtualGate.

The attackers are capable of maintaining persistent admin access to a hypervisor even across restarts, send commands that are routed to the guest VM for execution, transfer files between the hypervisor and guest machines, and execute arbitrary commands from one guest VM to another guest VM on the same hypervisor. In addition, the hackers can also tamper with logging services on the hypervisor.

The company pointed out that the attack does not appear to involve exploitation of a known or zero-day vulnerability in VMware products for initial access or to deploy the malicious VIBs. In addition, the attacker needs to obtain admin-level privileges to the ESXi hypervisor before they can deploy the malware.

The cybersecurity firm has been tracking this activity as UNC3886 and believes a group of cyberspies may be behind it considering that less than 10 victims have been identified so far.

“Given the highly targeted and evasive nature of this intrusion, we suspect UNC3886 motivation to be cyber espionage related. Additionally, we assess with low confidence that UNC3886 has a China-nexus,” Mandiant said.

VMware has been informed about these attacks and the company has released guidance for securing vSphere environments against such threats.

“While there is no VMware vulnerability involved, we are highlighting the need for strong Operational Security practices that include secure credential management and network security, in addition to following VMware’s hardening guidelines for virtual infrastructure,” said Manish Gaur, head of product security at VMware.

Mandiant believes other threat actors will also develop similar capabilities in the future. In addition, the company anticipates that more victims will come to light once organizations start checking their systems for the indicators of compromise (IoC) it has made available.

“As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain advanced state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers. This increases the difficulty for organizations to detect malicious attacker activity,” said Mandiant Consulting CTO Charles Carmakal.

Related: Researchers Find Python-Based Ransomware Targeting Jupyter Notebook Web Apps

Related: New Cross-Platform ‘Luna’ Ransomware Only Offered to Russian Affiliates

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.