Fire Ant Hackers Exploiting Vulnerabilities in VMware ESXi and vCenter

A sophisticated espionage campaign dubbed “Fire Ant” demonstrates previously unknown capabilities in compromising VMware virtualization infrastructure. 

Since early 2025, this threat actor has systematically targeted VMware ESXi hosts, vCenter servers, and network appliances using hypervisor-level techniques that evade traditional endpoint security solutions. 

The campaign exhibits strong technical overlap with the previously identified UNC3886 threat group, employing critical vulnerabilities and custom malware to maintain persistent, stealthy access to organizational networks.

Key Takeaways
1. Fire Ant exploits critical VMware ESXi and vCenter flaws for undetected hypervisor-level access. 
2. Deploys stealth backdoors and disables logging to maintain persistent control.
3. Tunnels via compromised infrastructure to bypass network segmentation and reach isolated assets.

Advanced VMware Infrastructure Exploitation Techniques

Sygnia reports that Fire Ant’s initial attack vector leverages CVE-2023-34048, an out-of-bounds write vulnerability in vCenter Server’s DCERPC protocol implementation that enables unauthenticated remote code execution. 

Security researchers identified suspicious crashes of the ‘vmdird’ process on vCenter servers, indicating exploitation of this critical vulnerability. 

Following successful compromise, the threat actors deploy sophisticated tools, including the open-source script vCenter_GenerateLoginCookie.py, to forge authentication cookies and bypass login mechanisms.

The attackers systematically harvest vpxuser credentials – system accounts automatically created by vCenter with full administrative privileges over ESXi hosts. 

This credential theft enables lateral movement across the entire virtualization infrastructure, as vpxuser accounts remain exempt from lockdown mode restrictions. 

The threat actors also exploit CVE-2023-20867, a VMware Tools vulnerability that permits unauthenticated host-to-guest command execution through PowerCLI’s Invoke-VMScript cmdlet.

Persistence Capabilities and Evasion Methods

Fire Ant demonstrates remarkable persistence capabilities through multiple backdoor deployment techniques. 

The group installs malicious vSphere Installation Bundles (VIBs) with acceptance levels set to ‘partner’ and deployed using the –force flag to bypass signature validation. 

These unauthorized VIBs contain configuration files referencing binaries in the ‘/bin’ folder and custom scripts embedded in ‘/etc/rc.local.d/’ for startup execution.

Additionally, the attackers deploy a Python-based HTTP backdoor named autobackup.bin that binds to port 8888 and provides remote command execution capabilities. 

This malware modifies ‘/etc/rc.local.d/local.sh’ on ESXi hosts for persistent execution. To further evade detection, Fire Ant terminates the vmsyslogd process, VMware’s native syslog daemon, effectively disabling both local log writing and remote log forwarding.

The threat actors demonstrate sophisticated network manipulation capabilities by compromising F5 load balancers through CVE-2022-1388 exploitation, deploying webshells to ‘/usr/local/www/xui/common/css/css.php‘ for network bridging. 

They utilize Neo-reGeorg tunneling webshells on internal Java-based web servers and deploy the Medusa rootkit on Linux pivot points for credential harvesting and persistent access.

Fire Ant employs netsh portproxy commands for port forwarding through trusted endpoints, effectively bypassing access control lists and firewall restrictions. 

The group also exploits IPv6 traffic to circumvent IPv4-focused filtering rules, demonstrating a comprehensive understanding of dual-stack network environments and common security gaps in organizational infrastructure.

Organizations must urgently prioritize securing their VMware environments through comprehensive patching, enhanced monitoring of hypervisor activities, and implementation of advanced detection capabilities that extend beyond traditional endpoint security solutions.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now