Detection and Hardening Within ESXi Hypervisors

January 16, 2023

It is important to understand what malware attacks ESXi hypervisors. In addition, you need to be aware of the various countermeasures available to you to mitigate the damage that is cause by a jackpotting attack.

Malware targeting ESXi hypervisors

The Mandiant threat intelligence division has identified a new form of malware that targets VMware ESXi hypervisors. The malware is design to evade detection and built on top of an unsigned vSphere Installation Bundle.

A state-linked threat actor created the malware. The attacker crafted a Python script that inventories the hypervisors on the system, and then uploaded the script. The script then encrypts the virtual drives on the ESXi server. The script also creates a directory map, and a bash shell called to execute the script.

The malware detected during a joint customer investigation. The attackers used a remote-access tool Bitvise to log into the compromised system. They executed commands to guest machines through a process called /bin/rdt.

The malware is like another malware that’s found in the wild. The Python-based script encrypts the files on the virtual drives hosted on the ESXi server. Then the python script calls a bash shell on the ESXi server.

Malicious vSphere Installation Bundles (VIBs)

The Mandiant research team has uncovered a new malware ecosystem on VMware ESXi hypervisors. This family of malware features an interesting and innovative dropper named VirtualGate.

The dropper is a utility program that allows for commands to be sent between hypervisor hosts. It includes a payload and requires admin level privileges to run.

The Mandiant research team was able to discover the new malware by analyzing the boot profile of the ESXi hypervisor. They identified two backdoors that installed by the attackers. The first backdoor called the “VirtualPita” and the second called the “VirtualPIE.”

The malware package contains backdoors that allow an attacker to install additional backdoors on an ESXi hypervisor. These backdoors can allow for persistent access to the hypervisor and can execute arbitrary commands on guest VMs.

The ESXi hypervisor is based on an operating system that is like Linux. However, it differs in that it has its own OS and filesystem, known as the VMkernel.

Countermeasures to mitigate the success or impact of jackpotting

ESXi hypervisors are becoming increasingly targeted by ransomware attacks. ESXi is a software platform that designed for large IT environments. It is not a traditional operating system, but instead runs on server hardware. VMware ESXi provides an in-memory filesystem for virtual machines. ESXi also has a TPM chip that protects some settings from tampering.

One of the key vulnerabilities is the Remote Code Execution (RCE) vulnerability. The RCE vulnerability allows hackers to run malicious commands on a machine that has compromised. This can then encrypt all the machines that connected to that machine. Aside from encrypting all the files on the ESXi host, the malware will encrypt all of the files on the vmdk of each of the attached datastores.

Another way for attackers to leverage the RCE vulnerability is to write a custom binary to the host. This is possible, and there are tools that allow you to upload a custom binary to an ESXi host.


The recent report from Mandiant describes new malware families targeting VMware ESXi hypervisors. The malware is design to target the vmfs/volumes datastore path, and can use by threat actors to move files between hypervisors and guest machines.

The report also warns that if the threat actors able to maintain persistent administrator access to the ESXi hypervisor, they can execute arbitrary commands on the VM guests. This could allow the attacker to do things like install custom binaries or create startup tasks on the guest VMs.

The Mandiant report notes that the attack requires full administrator access to the ESXi hypervisor. They also note that the attack is like the state-sponsored threat actors that have attacked network appliances. They use SSH to gain interactive access to the environment, and list the running processes before encrypting them.

The Mandiant researchers discovered two different malware families. One called VirtualPITA, which consists of a backdoor that provides the attacker with persistent admin access to the hypervisor. The other called VirtualGATE, which incorporates a memory-only dropper that runs commands between hypervisor hosts.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

A Guide to Cybersecurity in a Virtual Office

A Guide to Cybersecurity in a Virtual Office

Explore the comprehensive guide to cybersecurity in a virtual office, covering essential strategies, best practices, and tools to safeguard your digital assets. Learn how to protect sensitive data, mitigate risks, and ensure the utmost security in today's remote work...

GnuTLS Follows OpenSS

GnuTLS Follows OpenSS

GnuTLS library adheres to the OpenSS (Open Source Security Suite) standard, a significant departure from the former GNU policy. Emacs becomes more secure by adhering to a more robust standard for cryptographic libraries. It also helps avoid confusion when working with...

Zero-day vulnerability in Fortinet FortiOS

Zero-day vulnerability in Fortinet FortiOS

Recently, cybercriminals and nation-states have been exploiting a zero-day vulnerability in Fortinet FortiOS' operating system to launch targeted cyberattacks against government entities. The flaw, CVE-2022-40684, allows attackers to bypass authentication by sending...

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us