Hypervisor Compromise Attack Chain
How threat actors target VMware vSphere to operate beneath the guest OS, where EDR cannot see them, achieving persistence, credential theft, and total infrastructure control.
Every actor in the matrix below follows the same sequence of stages. They must, because each stage reflects an unavoidable prerequisite condition. Their tools, loaders, and C2 infrastructure change constantly. The underlying chokepoints do not. Detect the prerequisite; catch any actor.
TTP Overlap Across Groups
Each card represents a MITRE ATT&CK technique. Dots indicate which groups or families use it. Cards with an orange border are universal chokepoints used by every tracked actor. Click an actor below to filter.
Chokepoint Opportunities by Stage
Each card shows the invariant prerequisite an attacker must satisfy at that stage, the top detection signals, and links to the full chokepoint analysis.
Management interface (VAMI 5480, SSH 22, vSphere API 443) reachable from untrusted network zone
- VCSA firewall audit: SSH_BLOCKED_NEW, WEB_BLOCKED_NEW, VAMI_BLOCKED_NEW from non-PAW IP
- Failed authentication from unauthorized internal IP in auth.log or vCenter UserLoginSessionEvent
- Tomcat audit log showing requests to /manager/text/deploy (WAR file deployment)
VAMI-to-shell pivot requires BashShellAdministrators membership
- VAMI log: POST /rest/com/vmware/cis/session followed by SSH enablement via PUT on port 5480
- SSO audit: membership change to BashShellAdministrators group (PrincipalManagement event)
- vCenter event: HostSshEnabledEvent
- VCSA shell command log: interactive commands like whoami, netstat
Elevated process reads credential store or Tomcat memory
- auditd key privileged: sudo usage to scrape Tomcat memory or PostgreSQL config files
- HTTP requests to /web/saml2/sso/* from VCSA itself (BRICKSTEAL harvesting)
- vCenter events: VmClonedEvent targeting domain controllers (offline NTDS.dit theft)
- VmDiskHotPlugEvent (attacker mounting cloned DC disk)
Init script write + chmod to survive reboot
- auditd key startup_scripts: sed commands modifying /etc/sysconfig/init or /opt/vmware/etc/init.d/
- auditd key perm_mod: chmod +x on init script directories
- auditd key ssh_key_tamper: write to /root/.ssh/authorized_keys
- AIDE integrity alert (AIDE_TRAP): differences found for /lib64 or /root/.ssh
- SSO audit: transient account created and deleted within ~13 minutes
vpxuser shell access OR Ghost NIC into management VLAN
- vCenter event: VmNetworkAdapterAddedEvent (8.0u3+), high-fidelity Ghost NIC signal
- Legacy: VmReconfiguredEvent with NIC addition to management port group
- ESXi hostd.log: vpxuser shell login from VCSA IP
- Windows Event 4624 (Type 3) from appliance IP using stolen service account creds
VCSA outbound to C2 OR datastore read for VMDK theft
- VCSA firewall audit: INTERNET_BLOCKED, ZT_OUTBOUND_DENIED
- VCSA egress to non-whitelisted destination (DoH resolvers, SOCKS proxy ports)
- vCenter events: VmClonedEvent on Tier-0 VMs
- Ransomware: vim-cmd vmsvc/power.off across multiple VMs followed by datastore encryption
Actor Convergence Matrix 5 actors tracked
Different tools. Different operators. Same chokepoints. The highlighted bottom row shows the invariant prerequisite condition your detections must cover, regardless of which actor you're facing.
| Actor | Initial Access & Recon | Mgmt Plane Takeover | Credential Theft | Persistence | Lateral Movement | Exfiltration & Impact |
|---|---|---|---|---|---|---|
| BRICKSTORM / UNC5221 Espionage |
Edge appliance exploit → WAR file (SLAYSTYLE) | VAMI SSH enable → BashShellAdmins pivot | BRICKSTEAL: Tomcat memory scrape + PostgreSQL creds | sed inject into init scripts + transient SSO accounts (13-min lifecycle) | vpxuser shell pivot + Ghost NIC bridging | SOCKS/DoH C2 tunneling + VM clone of DCs for NTDS.dit |
| UNC3886 Espionage |
Zero-day exploitation of vCenter (CVE-2023-34048) | vCenter shell access + custom VIB deployment | VMCI socket credential interception | Malicious VIBs + modified /etc/rc.local.d scripts | Custom backdoor via VMCI sockets (guest-to-host) | Long-term espionage; data staging via encrypted channels |
| UNC3944 / Scattered Spider Active |
Social engineering helpdesk → vSphere creds via Okta | vSphere web client → SSH enable on ESXi | AD credential theft via VM access + MFA bypass tokens | SSH key persistence on ESXi hosts | RDP/SSH from management network to guest VMs | Data exfiltration + ransomware deployment via ESXi |
| Play Ransomware Active |
N-day exploits (FortiOS, ESXi OpenSLP) | ESXi shell access via stolen root creds | Credential harvest from compromised AD | rc.local.d script modification on ESXi | SSH lateral between ESXi hosts | ESXi datastore encryption (selective VM targeting) |
| Alphv/BlackCat Legacy |
Stolen VPN/RDP creds → vCenter access | vSphere web client with admin creds | LSASS dump + AD enumeration (BloodHound) | ESXi shell persistence + custom Linux encryptor | PsExec + WMI + ESXi SSH | Cross-platform Rust encryptor targeting VMFS datastores |
| The Chokepoint | Management interface (VAMI 5480, SSH 22, vSphere API 443) reachable from untrusted network zone | VAMI-to-shell pivot requires BashShellAdministrators membership | Elevated process reads credential store or Tomcat memory | Init script write + chmod to survive reboot | vpxuser shell access OR Ghost NIC into management VLAN | VCSA outbound to C2 OR datastore read for VMDK theft |
Most enterprise EDR has zero visibility into VCSA (Photon OS) or ESXi. Attackers who compromise the hypervisor layer operate beneath every guest VM. Credential theft, lateral movement, and persistence all occur in a blind spot where traditional endpoint detection cannot reach.
Research Methodology
Procedure-level data in this attack chain was extracted and corroborated using Kitsune, an AI-driven threat intelligence pipeline. 12 vendor and government reports were analyzed across 5 actors targeting VMware vSphere and ESXi, with cross-report corroboration used to validate convergence patterns. Reports were sourced from ORKL and direct vendor publications including Mandiant / Google Threat Intelligence, CISA, Trend Micro, Varonis, and Sygnia. Only techniques observed in two or more actors appear in the TTP diagram above. Actor-specific procedures are recorded in the source data but filtered from the convergence view.
Broader ESXi Ransomware Landscape
The two ransomware actors in this chain (Play, Alphv/BlackCat) represent a pattern shared by 10+ additional groups. SentinelOne documented that leaked Babuk source code spawned ESXi encryptors for RansomHub, LockBit, Akira, Cactus, RTM Locker, Conti successors, REvil/Revix, Rorschach/BabLock, and others. All use identical tradecraft: SSH to ESXi → vim-cmd vmsvc/power.off → encrypt /vmfs/volumes. The detection chokepoints in this chain cover all of them because the underlying prerequisites are identical regardless of which encryptor binary is deployed.
Source: SentinelOne: Multiple groups build ESXi lockers from leaked Babuk code
Related Attack Chains
- Ransomware - ESXi-targeting ransomware reuses identical vSphere access patterns; 8 groups tracked in the ransomware chain
- Infostealers - Stolen VPN/RDP creds from infostealer logs provide initial vSphere access
- AiTM / Phishing Kits - AiTM-compromised Okta sessions enable vSphere web client access