A sophisticated cyber-espionage campaign, identified as Fire Ant, has been actively targeting VMware virtualization infrastructures since early 2025. This threat actor employs advanced techniques to compromise VMware ESXi hosts, vCenter servers, and network appliances, effectively evading traditional endpoint security measures. The campaign exhibits significant technical similarities to the previously documented UNC3886 threat group, utilizing critical vulnerabilities and custom malware to establish persistent, stealthy access within organizational networks.
Exploitation of VMware Infrastructure
Fire Ant’s initial attack vector leverages CVE-2023-34048, an out-of-bounds write vulnerability in vCenter Server’s DCERPC protocol implementation, enabling unauthenticated remote code execution. Security researchers have observed suspicious crashes of the ‘vmdird’ process on vCenter servers, indicating exploitation of this critical flaw. Upon successful compromise, the attackers deploy sophisticated tools, including the open-source script vCenter_GenerateLoginCookie.py, to forge authentication cookies and bypass login mechanisms.
The attackers systematically harvest vpxuser credentials—system accounts automatically created by vCenter with full administrative privileges over ESXi hosts. This credential theft facilitates lateral movement across the entire virtualization infrastructure, as vpxuser accounts are exempt from lockdown mode restrictions. Additionally, the threat actors exploit CVE-2023-20867, a VMware Tools vulnerability that permits unauthenticated host-to-guest command execution through PowerCLI’s Invoke-VMScript cmdlet.
Persistence Mechanisms and Evasion Tactics
Fire Ant demonstrates remarkable persistence capabilities through multiple backdoor deployment techniques. The group installs malicious vSphere Installation Bundles (VIBs) with acceptance levels set to ‘partner’ and deployed using the –force flag to bypass signature validation. These unauthorized VIBs contain configuration files referencing binaries in the ‘/bin’ folder and custom scripts embedded in ‘/etc/rc.local.d/’ for startup execution.
Additionally, the attackers deploy a Python-based HTTP backdoor named autobackup.bin that binds to port 8888, providing remote command execution capabilities. This malware modifies ‘/etc/rc.local.d/local.sh’ on ESXi hosts for persistent execution. To further evade detection, Fire Ant terminates the vmsyslogd process, VMware’s native syslog daemon, effectively disabling both local log writing and remote log forwarding.
Network Manipulation and Lateral Movement
The threat actors exhibit sophisticated network manipulation capabilities by compromising F5 load balancers through CVE-2022-1388 exploitation, deploying webshells to ‘/usr/local/www/xui/common/css/css.php’ for network bridging. They utilize Neo-reGeorg tunneling webshells on internal Java-based web servers and deploy the Medusa rootkit on Linux pivot points for credential harvesting and persistent access.
Fire Ant employs netsh portproxy commands for port forwarding through trusted endpoints, effectively bypassing access control lists and firewall restrictions. The group also exploits IPv6 traffic to circumvent IPv4-focused filtering rules, demonstrating a comprehensive understanding of network protocols and security mechanisms.
Recommendations for Mitigation
Organizations utilizing VMware virtualization products should take immediate action to mitigate the risks associated with the Fire Ant campaign:
1. Apply Security Patches: Ensure all VMware products are updated to the latest versions, addressing vulnerabilities such as CVE-2023-34048 and CVE-2023-20867.
2. Monitor System Logs: Regularly review logs for signs of unauthorized access or unusual activity, paying close attention to processes like ‘vmdird’ and ‘vmsyslogd.’
3. Restrict Administrative Access: Limit administrative privileges to essential personnel and implement multi-factor authentication to enhance security.
4. Network Segmentation: Implement strict network segmentation to prevent lateral movement by attackers within the infrastructure.
5. Regular Security Audits: Conduct periodic security assessments to identify and remediate potential vulnerabilities within the virtualization environment.
By proactively addressing these vulnerabilities and implementing robust security measures, organizations can significantly reduce the risk of compromise by sophisticated threat actors like Fire Ant.
