Attack Chains Updated 2026-04-14

Hypervisor Compromise Attack Chain

Threat actors target VMware vSphere to operate beneath the guest OS where EDR can't see - chokepoints that hold across every ESXi encryptor.

The Chokepoint Convergence Principle

Same stages, different tools. Each stage is an unavoidable prerequisite - the underlying chokepoints don't change. Detect the prerequisite; catch any actor.

TTP Overlap Across Groups

Technique cards with actor dots. Orange border = used by all actors. Click actors to filter; a cyan glow marks techniques shared by every selected actor.

Initial Access & Recon
Valid Accounts
T1078
Local Accounts
T1078.003
External Remote Services
T1133
Exploit Public-Facing Application
T1190
Mgmt Plane Takeover
Command and Scripting Interpreter
T1059
Credential Theft
Unsecured Credentials
T1552
Persistence
Create or Modify System Process
T1543
Lateral Movement
Remote Services
T1021
Remote Desktop Protocol
T1021.001
Windows Remote Management
T1021.006
Defense Evasion
Obfuscated Files or Information
T1027
Match Legitimate Name or Location
T1036.005
Indicator Removal
T1070
Disable or Modify Tools
T1562.001
Discovery
File and Directory Discovery
T1083
C2 & Exfiltration
Exfiltration Over C2 Channel
T1041
Exfil Over Alternative Protocol
T1048
Application Layer Protocol
T1071
Web Protocols
T1071.001
Ingress Tool Transfer
T1105
Impact
Data Encrypted for Impact
T1486
Inhibit System Recovery
T1490

Chokepoint Opportunities by Stage

Invariant prerequisite per stage, top signals, and links to the full chokepoint analysis.

1 Initial Access & Recon
Chokepoint

Management interface (VAMI 5480, SSH 22, vSphere API 443) reachable from untrusted network zone

Detection Signals
  • VCSA firewall audit: SSH_BLOCKED_NEW, WEB_BLOCKED_NEW, VAMI_BLOCKED_NEW from non-PAW IP
  • Failed authentication from unauthorized internal IP in auth.log or vCenter UserLoginSessionEvent
  • Tomcat audit log showing requests to /manager/text/deploy (WAR file deployment)
2 Mgmt Plane Takeover
Chokepoint

VAMI-to-shell pivot requires BashShellAdministrators membership

Detection Signals
  • VAMI log: POST /rest/com/vmware/cis/session followed by SSH enablement via PUT on port 5480
  • SSO audit: membership change to BashShellAdministrators group (PrincipalManagement event)
  • vCenter event: HostSshEnabledEvent
  • VCSA shell command log: interactive commands like whoami, netstat
3 Credential Theft
Chokepoint

Elevated process reads credential store or Tomcat memory

Detection Signals
  • auditd key privileged: sudo usage to scrape Tomcat memory or PostgreSQL config files
  • HTTP requests to /web/saml2/sso/* from VCSA itself (BRICKSTEAL harvesting)
  • vCenter events: VmClonedEvent targeting domain controllers (offline NTDS.dit theft)
  • VmDiskHotPlugEvent (attacker mounting cloned DC disk)
4 Persistence
Chokepoint

Init script write + chmod to survive reboot

Detection Signals
  • auditd key startup_scripts: sed commands modifying /etc/sysconfig/init or /opt/vmware/etc/init.d/
  • auditd key perm_mod: chmod +x on init script directories
  • auditd key ssh_key_tamper: write to /root/.ssh/authorized_keys
  • AIDE integrity alert (AIDE_TRAP): differences found for /lib64 or /root/.ssh
  • SSO audit: transient account created and deleted within ~13 minutes
5 Lateral Movement
Chokepoint

vpxuser shell access OR Ghost NIC into management VLAN

Detection Signals
  • vCenter event: VmNetworkAdapterAddedEvent (8.0u3+), high-fidelity Ghost NIC signal
  • Legacy: VmReconfiguredEvent with NIC addition to management port group
  • ESXi hostd.log: vpxuser shell login from VCSA IP
  • Windows Event 4624 (Type 3) from appliance IP using stolen service account creds
6 Exfiltration & Impact
Chokepoint

VCSA outbound to C2 OR datastore read for VMDK theft

Detection Signals
  • VCSA firewall audit: INTERNET_BLOCKED, ZT_OUTBOUND_DENIED
  • VCSA egress to non-whitelisted destination (DoH resolvers, SOCKS proxy ports)
  • vCenter events: VmClonedEvent on Tier-0 VMs
  • Ransomware: vim-cmd vmsvc/power.off across multiple VMs followed by datastore encryption

Actor Convergence Matrix 5 actors tracked

Different tools, different operators - same chokepoints. Bottom row: the invariant your detections must cover.

Actor Initial Access & Recon Mgmt Plane Takeover Credential Theft Persistence Lateral Movement Exfiltration & Impact
BRICKSTORM / UNC5221
Espionage
Edge appliance exploit → WAR file (SLAYSTYLE) VAMI SSH enable → BashShellAdmins pivot BRICKSTEAL: Tomcat memory scrape + PostgreSQL creds sed inject into init scripts + transient SSO accounts (13-min lifecycle) vpxuser shell pivot + Ghost NIC bridging SOCKS/DoH C2 tunneling + VM clone of DCs for NTDS.dit
UNC3886
Espionage
Zero-day exploitation of vCenter (CVE-2023-34048) vCenter shell access + custom VIB deployment VMCI socket credential interception Malicious VIBs + modified /etc/rc.local.d scripts Custom backdoor via VMCI sockets (guest-to-host) Long-term espionage; data staging via encrypted channels
UNC3944 / Scattered Spider
Active
Social engineering helpdesk → vSphere creds via Okta vSphere web client → SSH enable on ESXi AD credential theft via VM access + MFA bypass tokens SSH key persistence on ESXi hosts RDP/SSH from management network to guest VMs Data exfiltration + ransomware deployment via ESXi
Play Ransomware
Active
N-day exploits (FortiOS, ESXi OpenSLP) ESXi shell access via stolen root creds Credential harvest from compromised AD rc.local.d script modification on ESXi SSH lateral between ESXi hosts ESXi datastore encryption (selective VM targeting)
Alphv/BlackCat
Legacy
Stolen VPN/RDP creds → vCenter access vSphere web client with admin creds LSASS dump + AD enumeration (BloodHound) ESXi shell persistence + custom Linux encryptor PsExec + WMI + ESXi SSH Cross-platform Rust encryptor targeting VMFS datastores
The Chokepoint Management interface (VAMI 5480, SSH 22, vSphere API 443) reachable from untrusted network zone VAMI-to-shell pivot requires BashShellAdministrators membership Elevated process reads credential store or Tomcat memory Init script write + chmod to survive reboot vpxuser shell access OR Ghost NIC into management VLAN VCSA outbound to C2 OR datastore read for VMDK theft

Analysis & References

393 days average dwell time

Most enterprise EDR has zero visibility into VCSA (Photon OS) or ESXi. Attackers who compromise the hypervisor layer operate beneath every guest VM. Credential theft, lateral movement, and persistence all occur in a blind spot where traditional endpoint detection cannot reach.

Research Methodology

Source: Kitsune pipeline over ORKL + vendor reports - 12 reports / 5 actors targeting vSphere/ESXi. Convergent techniques only.

Broader ESXi Ransomware Landscape

The two ransomware actors in this chain (Play, Alphv/BlackCat) represent a pattern shared by 10+ additional groups. SentinelOne documented that leaked Babuk source code spawned ESXi encryptors for RansomHub, LockBit, Akira, Cactus, RTM Locker, Conti successors, REvil/Revix, Rorschach/BabLock, and others. All use identical tradecraft: SSH to ESXi → vim-cmd vmsvc/power.off → encrypt /vmfs/volumes. The detection chokepoints in this chain cover all of them because the underlying prerequisites are identical regardless of which encryptor binary is deployed.

Source: SentinelOne: Multiple groups build ESXi lockers from leaked Babuk code

  • Ransomware - ESXi-targeting ransomware reuses identical vSphere access patterns; 8 groups tracked in the ransomware chain
  • Infostealers - Stolen VPN/RDP creds from infostealer logs provide initial vSphere access
  • AiTM / Phishing Kits - AiTM-compromised Okta sessions enable vSphere web client access