A newly uncovered cyber espionage campaign, tracked since early 2025 by Sygnia’s incident response teams and dubbed “Fire Ant,” is targeting enterprise virtualization and networking infrastructure, with attackers breaching organizations via VMware ESXi, vCenter servers, and network appliances.
This ongoing operation features a level of stealth, persistence, and adaptability rarely seen in the wild, with technical fingerprints and toolsets aligning closely to advanced persistent threat group UNC3886.
Investigators attribute Fire Ant’s initial breach vector to the exploitation of critical vulnerabilities, most notably CVE-2023-34048 an out-of-bounds write vulnerability in vCenter’s DCERPC enabling unauthenticated remote code execution.
Once vCenter servers were compromised, attackers quickly pivoted to ESXi hosts using harvested “vpxuser” credentials, deploying a suite of persistent backdoors and rewriting startup scripts to ensure access across reboots.
Malicious vSphere Installation Bundles (VIBs) were installed with forced, unsigned acceptance, and direct modifications of files such as “/etc/rc.local.d/local.sh” allowed Python-based backdoors to run undetected.
Notably, ESXi logging was systematically suppressed via termination of the native syslog daemon, crippling forensic visibility.
Host-to-Guest Control
With hypervisor control in hand, Fire Ant exploited another flaw CVE-2023-20867 in VMware Tools to inject commands from ESXi hosts directly into guest VMs without in-guest credentials or user authentication.
Leveraging PowerCLI and custom-developed ELF binaries to tamper with VMX process memory, the attackers hid their actions behind system binaries like vmtoolsd.exe.
This allowed for credential dumping from snapshot memory files, disabling of endpoint detection response (EDR) agents, and covert network tunneling using open-source tools such as V2Ray and Neo-reGeorg.
Rogue virtual machines with spoofed MAC addresses were even spun up outside vCenter awareness for ongoing command-and-control operations.
Network appliances and infrastructure components proved similarly vulnerable. Fire Ant exploited the widely known CVE-2022-1388 in F5 load balancers to plant webshells and establish application-layer tunnels, systematically bridging segmented network zones thought to be isolated.
On key Linux jump hosts, the Medusa rootkit was installed for covert access and credential harvesting, while trusted admin workstations and servers were configured as port forwarders to undermine existing firewall and access control policies.
In several environments, attackers also exposed assets to public networks and leveraged IPv6 traffic to sidestep IPv4-centric security controls.
Defensive Blind Spots
The operational sophistication of the Fire Ant actor was further highlighted by their resilience against cleanup and eradication attempts.
Upon detection, the group rapidly reinstalled backdoors, retooled binaries to blend in with forensic activity, and monitored blue team responses to adjust tactics and maintain access.
This operational agility underscored familiar patterns seen in prior UNC3886-linked campaigns, further cemented by technical and behavioral overlaps, including working-hour patterns pointing to Chinese-speaking operators.
The campaign exposes significant strategic risks for organizations relying on VMware and network infrastructure, as these components frequently lack continuous monitoring or effective endpoint security coverage.
Sygnia’s report calls for urgent hardening of virtualization layers: immediate patching, rigorous credential hygiene with regular rotation, and proactive deployment of logging, monitoring, and segmentation controls are paramount.
The evidence is clear: modern threat actors are exploiting blind spots at the virtualization and infrastructure layer, collapsing network segmentation, and rendering conventional defenses insufficient for today’s sophisticated attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
