Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

A Stealthy Cyberespionage Operation: The China-linked Group Fire Ant's Exploitation of VMware and F5 Flaws



In a major breach, a China-linked cyberespionage group called Fire Ant has been exploiting vulnerabilities in VMware and F5 software since early 2025. The attackers used layered attack chains to access restricted networks thought to be isolated, demonstrating a high degree of persistence and operational maneuverability. Read more about this new report from cybersecurity firm Sygnia on how Fire Ant's use of stealthy attack chains and sophisticated tooling highlights the ongoing efforts of cyber espionage groups in accessing secure systems.

  • Fire Ant group exploited vulnerabilities in VMware and F5 software since early 2025.
  • The attackers gained deep control over VMware ESXi and vCenter servers, using unauthenticated host-to-guest commands and credential theft.
  • Fire Ant adapted its strategy to containment efforts via toolset changes, persistent backdoors, and network manipulation.
  • The group exploited critical vulnerabilities in vCenter Server (CVE-2023-34048) and ESXi hosts to deploy persistent backdoors and gain control over virtualization management layers.
  • The attackers disabled security tools and extracted credentials from memory snapshots, including domain controllers.
  • Fire Ant achieved full-stack compromise by maintaining covert access to guest OSes via the hypervisor and bypassing segmentation through trusted systems.



  • China has been on high alert for its cyber espionage efforts, particularly when it comes to groups like Fire Ant that have been linked to the nation. A new report by cybersecurity firm Sygnia reveals that this group has been exploiting vulnerabilities in VMware and F5 software since early 2025, leading to a stealthy breach of secure systems. The attackers used layered attack chains to access restricted networks thought to be isolated, demonstrating a high degree of persistence and operational maneuverability.

    Fire Ant gained deep control over VMware ESXi and vCenter servers, using unauthenticated host-to-guest commands and credential theft to access guest environments. The group was able to bypass network segmentation by compromising appliances and tunneling through legitimate paths. Fire Ant adapts its strategy to the evolution of containment efforts via toolset changes, persistent backdoors, and network manipulation.

    In some cases, the attack chain started with the exploitation of the critical vCenter Server vulnerability CVE-2023-34048, which allowed the attackers to gain unauthenticated remote code execution and take over the virtualization management layer. The vulnerability is an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. Once compromised the vCenter, Fire Ant moved laterally to ESXi hosts using stolen vpxuser credentials, deploying persistent backdoors. With hypervisor control, they accessed guest VMs, exploited CVE-2023-20867 to run commands without credentials.

    The attackers also disabled security tools, and extracted credentials from memory snapshots, including domain controllers. “As ‚òvpxuser‚Äô is used by vCenter for core management tasks, it is exempt from lockdown mode restrictions. This allowed the threat actor to retain host-level access even when direct logins were disabled, gaining control over all connected ESXi hosts,” continues the report.

    The backdoor was deployed immediately after a remote login event and remained active across system reboots. Fire Ant achieved full-stack compromise, maintaining covert access to guest OSes via the hypervisor and bypassing segmentation through trusted systems. The group compromised F5 load balancers by exploiting the flaw CVE-2022-1388 in the iControlREST API.

    An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can exploit the CVE-2022-1388 flaw to execute arbitrary system commands, create or delete files, or disable services. Attackers exploited the vulnerability to deploy a staging webshell to ‘usr/local/www/xui/common/css/css.php’

    This report highlights the ongoing efforts of cyber espionage groups like Fire Ant, who continue to push the boundaries of what is possible in terms of accessing and exploiting secure systems. The exploitation of vulnerabilities in high-profile software such as VMware and F5 demonstrates the sophistication and determination of these groups.

    The use of stealthy attack chains and sophisticated tooling by Fire Ant highlights the importance of staying up-to-date with the latest security patches and best practices for securing virtualization and networking infrastructure. It also underscores the need for robust incident response capabilities to detect and contain such attacks in a timely manner.

    As we move forward in the digital landscape, it is essential that organizations prioritize cybersecurity awareness and investment, particularly when it comes to protecting against advanced threats like Fire Ant's exploit of VMware and F5 vulnerabilities.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-Stealthy-Cyberespionage-Operation-The-China-linked-Group-Fire-Ants-Exploitation-of-VMware-and-F5-Flaws-ehn.shtml

  • Published: Mon Jul 28 05:20:43 2025 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us