ESXi ransomware attacks use SSH tunnels to avoid detection

Pierluigi Paganini January 27, 2025

Threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection.

Researchers at cybersecurity firm Sygnia warn that threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection.

Ransomware groups are exploiting unmonitored ESXi appliances to persist and access corporate networks. They use “living-off-the-land” techniques, leveraging native tools like SSH to create undetected SOCKS tunnels for communication with C2 servers.

The researcher reported that in many cases, attackers compromised the ESXi appliances either by using administrative credentials or by exploiting a known vulnerability to bypass the authentication.

Once gained access to the device, attackers set up the tunneling using the native SSH functionality or by deploying other common tools with similar capabilities.

ESXi appliances’ resilience makes them ideal for tunneling, providing a semi-persistent backdoor within the network.

ESXi appliances splits logs into multiple files by activity, complicating forensic investigations and monitoring activities. Configuring log forwarding is essential to streamline monitoring and centralize event capture.

“While ESXi does support a few third-party monitoring or telemetry agents, such tools are limited in availability. As a more comprehensive and cost-effective solution, configuring syslog forwarding from the ESXi server to an external syslog server can solve the issue. This setup enables centralized monitoring of all activities within the ESXi server and serves as a means of log retention.” reads the Sygnia report.

“The following key log files are the most important ESXi telemetry files that will often assist with detecting and investigating an attack using SSH tunneling techniques on the appliance:

/var/log/vobd.log (VMware observer daemon log) “
/var/log/shell.log (ESXi shell activity log)
/var/log/hostd.log (Host agent log)
/var/log/auth.log (authentication log) “

The report provided multiple examples of common activities and messages found in ESXi syslog files that might be associated to malicious activity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ESXi ransomware attacks)

Pierluigi Paganini September 17, 2025

Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service

Pierluigi Paganini September 17, 2025