Ethical Hacking News
Chinese-speaking threat actors likely exploited three VMware vulnerabilities, which were disclosed as zero-days just a few months ago, in attacks from December 2025. According to Huntress, the attackers used a sophisticated virtual machine (VM) escape that seemed to exploit these vulnerabilities in their attacks. The initial entry vector for the attacks was reportedly through a compromised SonicWall VPN appliance, and the researchers found evidence of an exploit toolkit developed more than a year before the targeted vulnerabilities became publicly known.
The attackers' use of the exploit toolkit seemed to be part of a modular approach, where they separated the post-exploitation tools from the exploits. This allowed them to reuse the same infrastructure and switch to new vulnerabilities as needed. The researchers at Huntress believe that this approach is likely used by threat actors to avoid detection and stay one step ahead of security measures.
The attack highlights the importance of timely patching, monitoring, and using the latest security updates. Organizations are advised to take proactive steps to protect themselves against these zero-day attacks.
Chinese-speaking threat actors likely exploited VMware ESXi zero-days since February 2024. The attacks used a sophisticated virtual machine escape exploiting three VMware vulnerabilities, two with critical severity scores. The initial entry vector was through a compromised SonicWall VPN appliance, allowing access to domain controllers and exfiltration of data via RDP. An exploit toolkit was used, which included tools like MAESTRO, MyDriver.sys, VSOCKpuppet, and GetShell Plugin. The toolkit allowed attackers to disable VMware VMCI devices, load an unsigned driver, monitor exploits, and restore drivers afterward. Organizations should apply the latest ESXi security updates and use YARA and Sigma rules for early detection.
VMware ESXi zero-days, which were disclosed as publicly known just a few months ago, have been likely exploited by Chinese-speaking threat actors since at least February 2024. According to the latest analysis from managed security company, Huntress, the attackers used a sophisticated virtual machine (VM) escape that seemed to exploit three VMware vulnerabilities, two of which received critical severity scores, in their attacks.
The initial entry vector for the attacks was reportedly through a compromised SonicWall VPN appliance. This compromise allowed the attackers to gain access to domain controllers and stage data for exfiltration using RDP. The researchers at Huntress have found that the attackers used an exploit toolkit, which seemed to have been developed more than a year before the targeted vulnerabilities became publicly known.
The exploit toolkit involved several components, including MAESTRO (exploit.exe), MyDriver.sys, VSOCKpuppet, and GetShell Plugin. These tools worked together to allow the attackers to disable VMware VMCI devices, load an unsigned exploit driver via KDU, monitor exploit success, and restore drivers afterward. The researchers also found that the toolkit included a component named "client.exe," which used Windows VSOCK to connect from a guest VM to the compromised ESXi host and interact with the VSOCKpuppet backdoor.
The attackers' use of the exploit toolkit seemed to be part of a modular approach, where they separated the post-exploitation tools from the exploits. This allowed them to reuse the same infrastructure and switch to new vulnerabilities as needed. The researchers at Huntress believe that this approach is likely used by threat actors to avoid detection and stay one step ahead of security measures.
Despite their confidence in identifying the exploit toolkit, the researchers could not confirm with 100% certainty whether it was the exact exploitation Broadcom disclosed in its original bulletin on the three zero-days. However, they are moderately confident based on the behavior of the exploit's components, which involved using HGFS for information leak, VMCI for memory corruption, and shellcode escaping to the kernel.
The researchers at Huntress recommend that organizations apply the latest ESXi security updates and use the provided YARA and Sigma rules for early detection. They also note that SonicWall has warned of a new SMA1000 zero-day exploited in attacks, further emphasizing the need for timely patching and monitoring.
In conclusion, the VMware ESXi zero-days have been revealed to be more extensive than initially thought, with threat actors having likely exploited these vulnerabilities since at least February 2024. The attackers used a sophisticated exploit toolkit that seemed to have been developed more than a year before the targeted vulnerabilities became publicly known. The use of a modular approach by the attackers highlights their efforts to avoid detection and stay ahead of security measures.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Year-Before-Disclosure-Elusive-VMware-ESXi-Zero-Days-Exposed-by-Huntress-ehn.shtml
https://www.bleepingcomputer.com/news/security/vmware-esxi-zero-days-likely-exploited-a-year-before-disclosure/
https://www.pcrisk.com/removal-guides/31500-maestro-scam
https://malware-guide.com/blog/remove-search-maestro-extension
https://bazaar.abuse.ch/browse/signature/GetShell/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/GetShell.H!MTB
Published: Thu Jan 8 15:36:23 2026 by llama3.2 3B Q4_K_M
