Skip to Content

New ESXi persistence technique

Updated on 2022-09-30

Mandiant discovered new espionage-related malware families—VIRTUALPITA and VIRTUALPIE—targeting VMware ESXi, Windows virtual machines, and Linux vCenter servers— to gain persistent administrative access. Read more: Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors

Overview

Mandiant discovered a new persistence technique used against VMWare ESXi systems where threat actors gained access to the servers and then installed malicious vSphere Installation Bundles (VIBs). These VIBs deployed the VIRTUALPITA and VIRTUALPIE backdoors at the hypervisor level, allowing the threat actor to run commands on all hosted guest operating systems.

Mandiant has begun tracking this activity as UNC3886. Given the highly targeted and evasive nature of this intrusion, we suspect UNC3886 motivation to be cyber espionage related. Additionally, we assess with low confidence that UNC3886 has a China-nexus. Read more: Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.