Fire Ant: Stealthy Cyber-Espionage Campaign Targets VMware ESXi & vCenter, Evades Detection

A stealthy and highly sophisticated cyber-espionage campaign known as Fire Ant has been uncovered by Sygnia’s Incident Response and Threat Intelligence teams. Operating beneath the radar since early 2025, this operation has specifically targeted VMware ESXi, vCenter, and network appliances, showcasing a new level of precision in attacking virtualization environments and network segmentation controls.

“The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains… within presumed to be isolated environments,” Sygnia reports.

Fire Ant’s operations consistently focused on the core of modern IT infrastructure—hypervisors and virtualization management planes. By compromising vCenter via CVE-2023-34048—an unauthenticated RCE vulnerability—they established initial access and then expanded horizontally.

“The attacker demonstrated a high degree of persistence and operational maneuverability… adapting in real time to eradication and containment actions,” the report states.

Once inside, Fire Ant:

• Harvested ‘vpxuser’ service account credentials to gain administrative control of ESXi hosts.
• Installed persistent backdoors on both vCenter and ESXi using unsigned VIBs and custom Python daemons.
• Deployed rogue VMs invisible to vCenter, hiding them from inventory tools and administrators.
• Disabled logging daemons (vmsyslogd) to suppress evidence.

“They manipulated VMX processes and used CVE-2023-20867 to execute commands via PowerCLI without in-guest credentials,” the report explains.

Fire Ant didn’t stop at the hypervisor layer. Leveraging vulnerabilities like CVE-2023-20867 and their access to virtual machines, the threat actor:

• Extracted credentials from suspended VM snapshots using a customized version of Volatility.
• Deployed custom binaries like updatelog.exe to tamper with EDR visibility, specifically targeting tools like SentinelOne.
• Used V2Ray tunnels and Neo-reGeorg webshells to maintain encrypted and persistent access into segmented networks.

To ensure long-term presence, Fire Ant:

• Modified /etc/rc.local.d/local.sh and autobackup.bin for boot persistence.
• Bypassed ACLs using netsh portproxy commands on admin workstations.
• Exposed internal VMs to public networks via dual NIC configurations.
• Exploited IPv6 tunnel routes to bypass IPv4-based firewall rules.

“By embedding tunnels within critical infrastructure… Fire Ant created multiple redundant bridges between isolated networks,” the report notes.

What makes Fire Ant particularly formidable is its adaptive counter-response strategy. When defenders acted:

• The attacker rotated toolsets, renamed payloads, and even impersonated forensic tools to remain stealthy.
• They analyzed defender logs, altered execution chains, and rapidly re-infected cleaned systems.

“The threat actor investigated the response itself, reviewing logs, examining forensic tools… impersonating the identified forensic tools,” the report warns.

While Sygnia stops short of definitive attribution, the tactics, techniques, and tooling observed bear resemblance to those used by UNC3886, a China-linked APT group previously reported by Google Cloud Threat Intelligence.

Notably, active hours, command syntax, and keyboard input patterns suggest Chinese-language locales, adding weight to attribution hypotheses.

Related Posts:

• Evil Ant Ransomware Exposed: Flaw Offers Recovery Hope
• Web Shell to Ransomware: New VMware Attack Vector Exposed by Sygnia
• Stealthy and Persistent: New Ransomware Tactics Target VMware ESXi
• Ant Media Server Flaw Grants Local Users Root Access
• China Chopper & INMemory: Weaver Ant’s Arsenal of Advanced Web Shells