A group of attackers is using a zero-day exploit toolkit to compromise VMware ESXi instances in an uncontrolled manner, taking advantage of multiple vulnerabilities to bypass virtual machine restrictions.
The current incident highlights the ongoing threats to the hypervisor, as attackers prioritize stealth by rolling back drivers and removing configurations following the attack. With the rise of ransomware targeting ESXi, it’s crucial for organizations to aggressively strengthen virtualization security.
VM isolation fails due to hypervisor vulnerabilities; apply urgent patches to ESXi, as end-of-life versions lack fixes. Monitor ESXi hosts with “lsof -a” for VSOCK processes, be wary of BYOD loaders like KDU, and secure VPNs. Firewall modifications and unsigned drivers indicate compromise; VSOCK backdoors evade IDS.
The threat actors gained a foothold via SonicWall VPN , then used a compromised domain administrator account for lateral movement to the primary and backup domain controllers.
Huntress security experts managed to stop one of these attacks and found that the initial access had been gained through a compromised SonicWall VPN.
About 20 minutes after deploying the toolkit, they executed the ESXi exploit, which Huntress blocked before deploying the ransomware.
The toolkit, named MAESTRO by Huntress , orchestrates the disabling of VMware VMCI drivers with devcon.exe, loading an unsigned driver via KDU to bypass Driver Signature Enforcement, and performing core escape.
On the primary DC, they implemented reconnaissance tools like Advanced Port Scanner and ShareFinder , organized data with WinRAR , and modified Windows firewall rules to block outgoing external traffic while allowing internal lateral movement.
MyDriver.sys queries the ESXi version via VMware Guest SDK, selects offsets from a table that supports 155 builds on ESXi 5.1 through 8.0, leaks the VMX base via HGFS (CVE-2025-22226), corrupts memory via VMCI (CVE-2025-22224), and distributes sandbox escape shellcode (CVE-2025-22225).
The shellcode phases deploy VSOCKpuppet , a backdoor that hijacks ESXi’s inetd on port 21 for root execution, using VSOCK for stealthy guest-host communication invisible to networking tools.
PDB paths reveal development in Simplified Chinese environments, such as “全版本逃逸-交付” (All versions escape-delivery), dated February 2024, over a year before Broadcom’s VMSA-2025-0004 disclosure of March 4, 2025.
A client.exe PDB file from November 2023 suggests modular tools, with compromised VMware drivers referencing “XLab.” Huntress has a high reliability of Chinese origin, thanks to its resources and zero-day access.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
