Pierluigi Paganini
July 28, 2025
China-linked cyberespionage group Fire Ant is exploiting VMware and F5 vulnerabilities to stealthily access secure, segmented systems, according to Sygnia.
Since early 2025, the group has targeted virtualization and networking infrastructure, primarily VMware ESXi and vCenter environments.
The threat actor used stealthy, layered attack chains to access restricted networks thought to be isolated.
“The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure.” reads the report published by Sygnia. “Sygnia identified tooling and techniques that closely align with prior campaigns attributed to UNC3886. Technical overlap including specific binaries and exploitation of vCenter and ESXi vulnerabilities as well as targeted verticals.”
Fire Ant gained deep control over VMware ESXi and vCenter servers, using unauthenticated host-to-guest commands and credential theft to access guest environments. The group was able to bypass network segmentation by compromising appliances and tunneling through legitimate paths. Fire Ant adapts its strategy to the evolution of containment efforts via toolset changes, persistent backdoors, and network manipulation. The campaign was uncovered through a vmtoolsd.exe anomaly, pointing to host-based injection and leading to the discovery of a broader, stealthy cyberespionage operation.
In some cases, the attack chain started with the exploitation of the critical vCenter Server vulnerability CVE-2023-34048, which allowed the attackers to gain unauthenticated remote code execution and take over the virtualization management layer.
vCenter Server is a critical component in VMware virtualization and cloud computing software suite. It serves as a centralized and comprehensive management platform for VMware’s virtualized data centers.
The vulnerability CVE-2023-34048 (CVSS score 9.8) is an out-of-bounds write vulnerability in the implementation of the DCERPC protocol.
Once compromised the vCenter, Fire Ant moved laterallyto ESXi hosts using stolen vpxuser credentials, deploying persistent backdoors. With hypervisor control, they accessed guest VMs, exploited CVE-2023-20867 to run commands without credentials. The attackers also disabled security tools, and extracted credentials from memory snapshots, including domain controllers.
“As ‘vpxuser’ is used by vCenter for core management tasks, it is exempt from lockdown mode restrictions. This allowed the threat actor to retain host-level access even when direct logins were disabled, gaining control over all connected ESXi hosts.” continues the report. “The threat actor deployed a persistent backdoor binary on vCenter servers across the environment named ‘ksmd‘, located at ‘/usr/libexec/setconf/ksmd’. The binary was configured to listen on TCP port 7475 and enabled remote command execution and file operations.
The backdoor was deployed immediately after a remote login event and remained active across system reboots.”
Fire Ant achieved full-stack compromise, maintaining covert access to guest OSes via the hypervisor and bypassing segmentation through trusted systems.
The cyberespionage group compromised F5 load balancers by exploiting the flaw CVE-2022-1388 in the iControlREST API. An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can exploit the CVE-2022-1388 flaw to execute arbitrary system commands, create or delete files, or disable services. Attackers exploited the vulnerability to deploy a staging webshell to ‘usr/local/www/xui/common/css/css.php‘
Then attackers used the deployed webshell to deploy additional webshells in the ‘/xui/common/css/’ directory. One of these webshells, a tunneling webshell, enabled bridging between networks connected to the load balancer.
“To maintain long-term access across the environment, the threat actor established stealthy persistence on key Linux pivot points by deploying a variant of the open-source Medusa rootkit. (https://github.com/ldpreload/Medusa/tree/main)” continues the report. “The Medusa rootkit enables an interactive shell and logs SSH credentials to a file named ‘remote.txt’, supporting both a backdoor to the compromised device and a credential harvesting mechanism.”
Fire Ant showed strong resistance to removal, re-entering systems via backup access paths and adapting tools to evade detection. They studied defenders’ actions, altered tactics, and even disguised malware as forensic tools.
“While Sygnia refrains from conclusive attribution, multiple aspects of Fire Ant’s campaign and most notably its unique tool set and attack vector targeting the VMware virtualization infrastructure strongly align with previous research on the threat group UNC3886.” concludes the report. “The active working hours of the threat group throughout the incidents and minor input errors observed during command execution aligned with Chinese-language keyboard layouts, consistent with prior regional activity indicators.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, VMware)
Pierluigi Paganini
September 24, 2025
