Ethical Hacking News
Chinese-speaking hackers exploited VMware ESXi zero-days more than a year before public disclosure, using a hacked SonicWall VPN to deploy an exploit toolkit targeting ESXi. The attack demonstrates sophisticated VM escape techniques and highlights the ongoing threat posed by nation-state actors with access to unpatched vulnerabilities.
Cybersecurity researchers at Huntress uncovered evidence of sophisticated hacking techniques used by Chinese-speaking attackers. The attackers exploited VMware ESXi zero-days more than a year before public disclosure, using a hacked SonicWall VPN to deploy an exploit toolkit. The attack demonstrated a sophisticated VM escape mechanism, allowing the attackers to gain full control of the hypervisor from within a guest VM. The development timeline suggests that this exploit potentially existed as a zero-day for over a year before VMware's public disclosure. The attack highlights the persistent threat posed by well-resourced actors with access to unpatched vulnerabilities. The discovery underscores the need for timely patching and vulnerability management, as well as monitoring and detecting advanced threats.
In a recent discovery, cybersecurity researchers at Huntress uncovered evidence of sophisticated hacking techniques employed by Chinese-speaking attackers, who exploited VMware ESXi zero-days more than a year before public disclosure. The attack involved the use of a hacked SonicWall VPN to deploy an exploit toolkit targeting ESXi, which was likely developed with early access to unpatched vulnerabilities.
The exploit chain included a complex multi-stage attack that demonstrated a sophisticated VM escape mechanism, allowing the attackers to gain full control of the hypervisor from within a guest VM. The use of this exploit toolkit suggests that the attackers had a well-resourced and organized operation, with evidence pointing to a well-funded developer likely operating in a Chinese-speaking region.
The development timeline revealed in the PDB paths indicates that this exploit potentially existed as a zero-day for over a year before VMware's public disclosure. This highlights the persistent threat posed by well-resourced actors with access to unpatched vulnerabilities. The attackers' ability to develop and deploy the exploit toolkit suggests a high level of technical sophistication, as evidenced by the use of simplified Chinese strings and build paths.
The attack was ultimately stopped before impact, but the discovery serves as a reminder of the ongoing threat posed by sophisticated nation-state actors and the importance of timely patching and vulnerability management. The fact that the attackers had early knowledge of three ESXi zero-day vulnerabilities later revealed in March 2025 indicates long-term, covert exploitation of unknown flaws.
The use of an orchestrator called MAESTRO to manage a full VMware ESXi VM escape is particularly noteworthy, as it demonstrates a high level of sophistication and control over the attack. The driver used in the exploit chain abuses HGFS and VMCI flaws, writes shellcode into the VMX process, and escapes to the ESXi kernel. It then deploys a stealthy VSOCK-based backdoor (VSOCKpuppet), enabling persistent remote control of the hypervisor from guest VMs while evading traditional network monitoring and restoring drivers to reduce detection.
The Huntress researchers found evidence that the exploit chain may have been used since at least February 2024, suggesting that the attackers had a long-term operation with access to unpatched vulnerabilities. The discovery highlights the need for timely patching and vulnerability management, as well as the importance of monitoring and detecting advanced threats.
In conclusion, the recent discovery by Huntress researchers highlights the ongoing threat posed by sophisticated nation-state actors and the importance of timely patching and vulnerability management. The use of a hacked SonicWall VPN to deploy an exploit toolkit targeting ESXi demonstrates a high level of technical sophistication and control over the attack, while the long-term operation with access to unpatched vulnerabilities underscores the need for vigilance in the face of emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-speaking-Hackers-Exploited-ESXi-Zero-Days-Long-Before-Disclosure-ehn.shtml
https://securityaffairs.com/186709/hacking/chinese-speaking-hackers-exploited-esxi-zero-days-long-before-disclosure.html
Published: Thu Jan 8 19:04:25 2026 by llama3.2 3B Q4_K_M
