A notorious cybercrime group known as Scattered Spider has launched a new wave of targeted attacks against VMware ESXi hypervisors, with a focus on organizations in the retail, airline, and transportation sectors across North America.
Scattered Spider employs social engineering tactics to gain initial access, according to Google's Mandiant team. The attackers impersonate employees in phone calls to IT help desks, manipulating support staff into resetting credentials or granting elevated access. Once inside, they exploit trusted administrative tools and access pathways to maintain stealth and control.
The group, also known in the cybersecurity community as 0ktapus, Muddled Libra, and UNC3944, uses a multi-phase attack strategy that starts with reconnaissance and privilege escalation. After gathering internal documentation and administrator credentials (often extracted from password managers like HashiCorp Vault or other Privileged Access Management (PAM) solutions) the attackers pivot into the victim’s virtual environment, targeting VMware’s vSphere platform.
“To maintain their foothold, they upload and execute teleport, a legitimate open source remote access tool, to create a persistent and encrypted reverse shell (C2 channel) that bypasses most firewall egress rules,” the researchers explained.
From vCenter, the threat actor enables SSH access on the ESXi hosts and resets their root passwords. The intruders then perform an offline attack by locating a Domain Controller (DC) virtual machine, powering it off, and detaching its virtual disk (.vmdk). The disk is mounted as a secondary drive to an orphaned or forgotten VM under the attackers’ control. From this unmonitored system, they extract the NTDS.dit Active Directory database.
Once the data is copied, the process is reversed: the disk is reattached to the DC, which is then powered back on, leaving no immediate signs of compromise.
The stolen data is exfiltrated in two stages: first, it's transferred internally from the orphaned VM to the compromised vCenter Server Appliance (VCSA) via SFTP. Then, it's sent externally through an established Teleport C2 channel to a threat actor-controlled cloud service.
Recent analysis from Palo Alto Networks’ Unit 42 revealed that Scattered Spider has teamed up with DragonForce, a ransomware-as-a-service (RaaS) operation run by the Slippery Scorpius group, since at least April 2025. In one instance, over 100 gigabytes of data were exfiltrated within two days before systems were encrypted using DragonForce ransomware.
On that note, cybersecurity firm Sygnia has recently reported that a cyber-espionage group linked to China is targeting virtualization infrastructure globally. The attackers, tracked under the name “Fire Ant,” are compromising VMware ESXi hypervisors used in enterprise networks. Leveraging custom tools to maintain long-term access while avoiding detection by standard security systems, the campaign uses similar tactics leveraged by the known Chinese-linked group UNC3886.