Detection and Hardening Within ESXi Hypervisors

January 16, 2023

It is important to understand what malware attacks ESXi hypervisors. In addition, you need to be aware of the various countermeasures available to you to mitigate the damage that is cause by a jackpotting attack.

Malware targeting ESXi hypervisors

The Mandiant threat intelligence division has identified a new form of malware that targets VMware ESXi hypervisors. The malware is design to evade detection and built on top of an unsigned vSphere Installation Bundle.

A state-linked threat actor created the malware. The attacker crafted a Python script that inventories the hypervisors on the system, and then uploaded the script. The script then encrypts the virtual drives on the ESXi server. The script also creates a directory map, and a bash shell called to execute the script.

The malware detected during a joint customer investigation. The attackers used a remote-access tool Bitvise to log into the compromised system. They executed commands to guest machines through a process called /bin/rdt.

The malware is like another malware that’s found in the wild. The Python-based script encrypts the files on the virtual drives hosted on the ESXi server. Then the python script calls a bash shell on the ESXi server.

Malicious vSphere Installation Bundles (VIBs)

The Mandiant research team has uncovered a new malware ecosystem on VMware ESXi hypervisors. This family of malware features an interesting and innovative dropper named VirtualGate.

The dropper is a utility program that allows for commands to be sent between hypervisor hosts. It includes a payload and requires admin level privileges to run.

The Mandiant research team was able to discover the new malware by analyzing the boot profile of the ESXi hypervisor. They identified two backdoors that installed by the attackers. The first backdoor called the “VirtualPita” and the second called the “VirtualPIE.”

The malware package contains backdoors that allow an attacker to install additional backdoors on an ESXi hypervisor. These backdoors can allow for persistent access to the hypervisor and can execute arbitrary commands on guest VMs.

The ESXi hypervisor is based on an operating system that is like Linux. However, it differs in that it has its own OS and filesystem, known as the VMkernel.

Countermeasures to mitigate the success or impact of jackpotting

ESXi hypervisors are becoming increasingly targeted by ransomware attacks. ESXi is a software platform that designed for large IT environments. It is not a traditional operating system, but instead runs on server hardware. VMware ESXi provides an in-memory filesystem for virtual machines. ESXi also has a TPM chip that protects some settings from tampering.

One of the key vulnerabilities is the Remote Code Execution (RCE) vulnerability. The RCE vulnerability allows hackers to run malicious commands on a machine that has compromised. This can then encrypt all the machines that connected to that machine. Aside from encrypting all the files on the ESXi host, the malware will encrypt all of the files on the vmdk of each of the attached datastores.

Another way for attackers to leverage the RCE vulnerability is to write a custom binary to the host. This is possible, and there are tools that allow you to upload a custom binary to an ESXi host.


The recent report from Mandiant describes new malware families targeting VMware ESXi hypervisors. The malware is design to target the vmfs/volumes datastore path, and can use by threat actors to move files between hypervisors and guest machines.

The report also warns that if the threat actors able to maintain persistent administrator access to the ESXi hypervisor, they can execute arbitrary commands on the VM guests. This could allow the attacker to do things like install custom binaries or create startup tasks on the guest VMs.

The Mandiant report notes that the attack requires full administrator access to the ESXi hypervisor. They also note that the attack is like the state-sponsored threat actors that have attacked network appliances. They use SSH to gain interactive access to the environment, and list the running processes before encrypting them.

The Mandiant researchers discovered two different malware families. One called VirtualPITA, which consists of a backdoor that provides the attacker with persistent admin access to the hypervisor. The other called VirtualGATE, which incorporates a memory-only dropper that runs commands between hypervisor hosts.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us