25.07.2025
2 min
524
Fire Ant, a hacking group affiliated with Chinese cyber intelligence group UNC3886, is conducting a large-scale cyber espionage campaign, having already compromised hundreds of VMware ESXi hypervisors and vCenter servers. The attacks are based on known vulnerabilities, including CVE-2023-34048 and CVE-2023-20867, and the goal is to gain long-term covert access to critical infrastructure of organizations.
According to a report by Sygnia, Fire Ant attacks demonstrate exceptional technical complexity and resistance to detection. After the initial breach, the attackers obtained the credentials of the system account vpxuser, which allowed them to move between ESXi hosts and virtual machines, bypassing network segmentation.
To maintain access, backdoors from the VIRTUALPITA family were installed, as well as a Python implant autobackup.bin, capable of executing commands in the background. In addition, the V2Ray framework was used to tunnel traffic from guest OSes, unregistered virtual machines were created, network configuration was changed, and logs on ESXi were deleted by terminating the vmsyslogd process, which almost completely destroyed traces of the hack.
In some cases, the attackers replaced the names of malicious files with analysis tools, imitating the work of system or investigative programs.
Fire Ant is an advanced threat actor (APT) unit closely related to UNC3886, which has previously carried out attacks on edge devices and virtualization systems. The CVE-2023-34048 vulnerability was first used by them as a zero-day long before its public patch by Broadcom in October 2023. In July 2025, the Singapore government officially accused UNC3886 of cyberattacks on critical infrastructure. In response, the Chinese embassy called the claims baseless, but technical evidence points to deep penetration of internal networks using sophisticated multi-layered attack chains.
The Fire Ant attack is a striking example of a new wave of malicious campaigns that target not ordinary workstations, but the core of the virtualization infrastructure. Traditional EDR and SIEM solutions often do not cover ESXi and vCenter, making them ideal targets for long-term exposure with minimal risk of exposure. The incident highlights the need for deep visibility at the hypervisor level, regular auditing of infrastructure components, and real-time vulnerability updates.
