Suspected China-aligned actors are running a new “Fire Ant” espionage campaign, active since early 2025, that targets VMWare ESXi, vCenter servers, and F5 appliances to achieve stealthy hypervisor-level control.
According to a Sygnia discovery, the campaign has been exploiting critical flaws in VMware environments to gain unauthenticated access to virtualization infrastructure and deploy persistent malware like VirtualPita and autobackup.bin.
[ Related: More VMware by Broadcom news and insights ]
According to Ev Kontsevoy, CEO of Teleport, it is a classic nation-state attack vector. “Fire Ant has been exploiting infrastructure vulnerabilities and using stolen credentials to infiltrate systems,” he said. “This is not an isolated tactic. Many nation-state groups are now adopting the same approach due to its effectiveness and difficulty of detection.”
While Sygnia refrained from attributing Fire Ant to a specific actor, it noted that the campaign’s tools, VMware-focused attack vectors, working hours, and keyboard patterns closely matched previous findings on the China-nexus group UNC3886.
Initial access through VMWare flaws
The attackers exploited CVE-2023-34048 in VMware vCenter to achieve unauthenticated remote code execution (RCE), then retrieved credentials for the “vpxuser” service accounts, which vCenter automatically creates to manage ESXi hosts with full administrative privileges. Because vpxuser is exempt from lockdown mode restrictions, the attackers could retain host-level control over all connected ESXi servers, the physical machines running the ESXi hypervisor, even if direct logins were disabled.
With full administrative privileges now, attackers planted persistent backdoors like VirtualPita and autobackup.bin, and disabled the system logging daemon (vmsyslogd) to cover their tracks across reboots.
Kontsevoy calls this an identity management failure. “The attackers used stolen credentials to create backdoors and mimic legitimate employee actions through common, trusted tools,” he said. “This is because once an identity crosses a technology boundary, its trail is lost. No one can see where it goes next. This visibility gap allows backdoors to go unnoticed and enables attackers to re-enter the infrastructure undetected.”
Attackers further exploited CVE-2023-20867 to run unauthenticated host-to-guest commands via VMware Tools/PowerCLI, accessing guest VMs and extracting in-memory domain credentials.
Tunnelling allowed lateral movement
Once inside, Fire Ant bypassed network segmentation by exploiting CVE-2022-1388 in F5 BIG-IP devices. This allowed them to deploy encrypted tunnels such as Neo-reGeorg web shells to reach isolated environments, even leveraging IPv6 to evade IPv4 filters.
“The threat actor demonstrated a deep understanding of the target environment’s network architecture and policies, effectively navigating segmentation controls to reach internal, presumably isolated assets,” Sygnia said in a blog post. “By compromising network infrastructure and tunneling through trusted systems, the threat actor systematically bypassed segmentation boundaries, reached isolated networks, and established cross-segment persistence.”
The attackers constantly adapted their techniques, such as altering tools, disguising files, and deploying redundant persistence backdoors, to evade detection and regain access after cleanup.
Sygnia has advised organizations to patch vulnerable VMware components, rotate secure service account credentials, and enforce ESXi lockdown mode to restrict host access. It also recommends using dedicated admin jump hosts, segmenting management networks, and expanding monitoring to include vCenter, ESXi, and appliances that often lack traditional endpoint visibility.
“The only way to prevent nation-state hackers and other criminals from accessing infrastructure easily is by unifying identity,” Kontsevoy added. “By unifying all identities — whether human, software, hardware, or AI — companies can gain a single source of truth and complete visibility into how identities enter and move through their systems.”