• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Severe Hikvision HikCentral product flaws: What You Need to Know

 | 

U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog

 | 

Google addressed two Android flaws actively exploited in targeted attacks

 | 

U.S. CISA adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog

 | 

Android droppers evolved into versatile tools to spread malware

 | 

Jaguar Land Rover shuts down systems after cyberattack, no evidence of customer data theft

 | 

Cloudflare blocked a record 11.5 Tbps DDoS attack

 | 

Palo Alto Networks disclosed a data breach linked to Salesloft Drift incident

 | 

Von der Leyen’s plane hit by suspected Russian GPS Jamming in Bulgaria, landed Safely

 | 

Supply-chain attack hits Zscaler via Salesloft Drift, leaking customer info

 | 

Crooks exploit Meta malvertising to target Android users with Brokewell

 | 

North Korea’s APT37 deploys RokRAT in new phishing campaign against academics

 | 

Fraudster stole over $1.5 million from city of Baltimore

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 60

 | 

Security Affairs newsletter Round 539 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Amazon blocks APT29 campaign targeting Microsoft device code authentication

 | 

Lab Dookhtegan hacking group disrupts communications on dozens of Iranian ships

 | 

New zero-click exploit allegedly used to hack WhatsApp users

 | 

US and Dutch Police dismantle VerifTools fake ID marketplace

 | 

Experts warn of actively exploited FreePBX zero-day

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Intelligence
  • Security
  • China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

Pierluigi Paganini July 28, 2025

China-linked group Fire Ant exploits VMware and F5 flaws to stealthily breach secure systems, reports cybersecurity firm Sygnia.

China-linked cyberespionage group Fire Ant is exploiting VMware and F5 vulnerabilities to stealthily access secure, segmented systems, according to Sygnia.

Since early 2025, the group has targeted virtualization and networking infrastructure, primarily VMware ESXi and vCenter environments.

The threat actor used stealthy, layered attack chains to access restricted networks thought to be isolated.

“The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure.” reads the report published by Sygnia. “Sygnia identified tooling and techniques that closely align with prior campaigns attributed to UNC3886. Technical overlap including specific binaries and exploitation of vCenter and ESXi vulnerabilities as well as targeted verticals.”

Fire Ant gained deep control over VMware ESXi and vCenter servers, using unauthenticated host-to-guest commands and credential theft to access guest environments. The group was able to bypass network segmentation by compromising appliances and tunneling through legitimate paths. Fire Ant adapts its strategy to the evolution of containment efforts via toolset changes, persistent backdoors, and network manipulation. The campaign was uncovered through a vmtoolsd.exe anomaly, pointing to host-based injection and leading to the discovery of a broader, stealthy cyberespionage operation.

In some cases, the attack chain started with the exploitation of the critical vCenter Server vulnerability CVE-2023-34048, which allowed the attackers to gain unauthenticated remote code execution and take over the virtualization management layer.

vCenter Server is a critical component in VMware virtualization and cloud computing software suite. It serves as a centralized and comprehensive management platform for VMware’s virtualized data centers.

The vulnerability CVE-2023-34048 (CVSS score 9.8) is an out-of-bounds write vulnerability in the implementation of the DCERPC protocol.

Once compromised the vCenter, Fire Ant moved laterallyto ESXi hosts using stolen vpxuser credentials, deploying persistent backdoors. With hypervisor control, they accessed guest VMs, exploited CVE-2023-20867 to run commands without credentials. The attackers also disabled security tools, and extracted credentials from memory snapshots, including domain controllers.

“As ‘vpxuser’ is used by vCenter for core management tasks, it is exempt from lockdown mode restrictions. This allowed the threat actor to retain host-level access even when direct logins were disabled, gaining control over all connected ESXi hosts.” continues the report. “The threat actor deployed a persistent backdoor binary on vCenter servers across the environment named ‘ksmd‘, located at ‘/usr/libexec/setconf/ksmd’. The binary was configured to listen on TCP port 7475 and enabled remote command execution and file operations.

The backdoor was deployed immediately after a remote login event and remained active across system reboots.”

Fire Ant achieved full-stack compromise, maintaining covert access to guest OSes via the hypervisor and bypassing segmentation through trusted systems.

The cyberespionage group compromised F5 load balancers by exploiting the flaw CVE-2022-1388 in the iControlREST API. An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can exploit the CVE-2022-1388 flaw to execute arbitrary system commands, create or delete files, or disable services. Attackers exploited the vulnerability to deploy a staging webshell to ‘usr/local/www/xui/common/css/css.php‘

Then attackers used the deployed webshell to deploy additional webshells in the ‘/xui/common/css/’ directory. One of these webshells, a tunneling webshell, enabled bridging between networks connected to the load balancer.

“To maintain long-term access across the environment, the threat actor established stealthy persistence on key Linux pivot points by deploying a variant of the open-source Medusa rootkit. (https://github.com/ldpreload/Medusa/tree/main)” continues the report. “The Medusa rootkit enables an interactive shell and logs SSH credentials to a file named ‘remote.txt’, supporting both a backdoor to the compromised device and a credential harvesting mechanism.”

Fire Ant showed strong resistance to removal, re-entering systems via backup access paths and adapting tools to evade detection. They studied defenders’ actions, altered tactics, and even disguised malware as forensic tools.

“While Sygnia refrains from conclusive attribution, multiple aspects of Fire Ant’s campaign and most notably its unique tool set and attack vector targeting the VMware virtualization infrastructure strongly align with previous research on the threat group UNC3886.” concludes the report. “The active working hours of the threat group throughout the incidents and minor input errors observed during command execution aligned with Chinese-language keyboard layouts, consistent with prior regional activity indicators.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)


facebook linkedin twitter

you might also like

Pierluigi Paganini September 04, 2025
Severe Hikvision HikCentral product flaws: What You Need to Know
Read more
Pierluigi Paganini September 04, 2025
U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Severe Hikvision HikCentral product flaws: What You Need to Know

    Hacking / September 04, 2025

    U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog

    Hacking / September 04, 2025

    Crooks turn HexStrike AI into a weapon for fresh vulnerabilities

    Cyber Crime / September 03, 2025

    Google addressed two Android flaws actively exploited in targeted attacks

    Security / September 03, 2025

    U.S. CISA adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog

    Hacking / September 03, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT