UNC3944 Attacking VMware vSphere and Enabling SSH on ESXi Hosts to Reset ‘root’ Passwords

UNC3944, a financially driven threat organization associated with “0ktapus,” “Octo Tempest,” and “Scattered Spider,” launched a sophisticated cyber campaign that used social engineering and hypervisor-level attacks to target VMware vSphere environments in the retail, airline, and insurance industries.

Google Threat Intelligence Group (GITG) identified the campaign in mid-2025, following FBI alerts about escalation targeting U.S. retail organizations. 

The threat actors employ a proven “living-off-the-land” (LoTL) methodology that bypasses traditional endpoint detection and response (EDR) solutions by operating directly at the hypervisor level, where security tools have limited visibility.

In Short
1. Phone impersonation to reset AD passwords and escalate to vSphere admin groups via net.exe commands.
2. Exploit vCenter to modify GRUB bootloaders for root access and install "teleport" reverse shells.
3. Power down VMs, detach .vmdk files, and extract NTDS.dit offline before ransomware deployment.

UNC3944’s Social Engineering Attack Chain

UNC3944’s attack chain begins with sophisticated phone-based social engineering targeting IT help desks. 

Mandiant reports that threat actors impersonate employees using publicly available personal information from previous data breaches to convince help desk agents to reset Active Directory passwords. 

Once inside, they conduct reconnaissance through SharePoint sites and network drives, specifically hunting for IT documentation revealing privileged accounts like “vSphere Admins” or “ESX Admins” groups.

The attackers then escalate privileges by adding compromised accounts to critical security groups using commands like net.exe group “ESX Admins” ACME-CORPtemp-adm-bkdr /add executed through Windows Remote Management (WinRM). 

Security teams can detect this activity by monitoring for AD Event ID 4728 (member added to security-enabled global group) and correlating wsmprovhost.exe process execution with suspicious group modifications.

After gaining vCenter access, UNC3944 executes a sophisticated takeover of the vCenter Server Appliance (VCSA). They leverage console access to reboot the appliance and modify the GRUB bootloader with init=/bin/bash, achieving passwordless root access. 

The group then installs “teleport,” a legitimate open-source remote access tool, creating encrypted reverse shells that bypass firewall egress rules.

Critical detection signals include monitoring vCenter events like vim.event.VmReconfiguredEvent and UserLoginSessionEvent, while implementing remote syslog forwarding from VCSA to capture unauthorized SSH service enablement. 

Organizations should monitor for anomalous DNS requests from vCenter servers and unusual outbound connections that could indicate C2 communication.

Data Exfiltration via Virtual Disk Manipulation

The most devastating phase involves offline credential theft through virtual disk manipulation. 

UNC3944 identifies Domain Controller VMs, powers them off, and detaches their virtual disks (.vmdk files) before attaching them to compromised “orphaned” VMs. 

This technique enables extraction of the NTDS.dit Active Directory database while completely bypassing in-guest security solutions.

Organizations can defend against this attack vector by implementing vSphere VM encryption for Tier 0 assets, enabling ESXi lockdown mode, and enforcing the execInstalledOnly kernel setting to prevent unsigned binary execution. 

The group’s final ransomware deployment uses the native vim-cmd tool to power off VMs before encrypting datastore files, making hypervisor-level hardening essential for prevention.

Security teams must implement comprehensive logging from vCenter events, ESXi audit logs, and Active Directory to detect UNC3944’s methodical progression through virtualized environments before ransomware deployment occurs.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now