Detection and Hardening Within ESXi Hypervisors

January 16, 2023

It is important to understand what malware attacks ESXi hypervisors. In addition, you need to be aware of the various countermeasures available to you to mitigate the damage that is cause by a jackpotting attack.

Malware targeting ESXi hypervisors

The Mandiant threat intelligence division has identified a new form of malware that targets VMware ESXi hypervisors. The malware is design to evade detection and built on top of an unsigned vSphere Installation Bundle.

A state-linked threat actor created the malware. The attacker crafted a Python script that inventories the hypervisors on the system, and then uploaded the script. The script then encrypts the virtual drives on the ESXi server. The script also creates a directory map, and a bash shell called to execute the script.

The malware detected during a joint customer investigation. The attackers used a remote-access tool Bitvise to log into the compromised system. They executed commands to guest machines through a process called /bin/rdt.

The malware is like another malware that’s found in the wild. The Python-based script encrypts the files on the virtual drives hosted on the ESXi server. Then the python script calls a bash shell on the ESXi server.

Malicious vSphere Installation Bundles (VIBs)

The Mandiant research team has uncovered a new malware ecosystem on VMware ESXi hypervisors. This family of malware features an interesting and innovative dropper named VirtualGate.

The dropper is a utility program that allows for commands to be sent between hypervisor hosts. It includes a payload and requires admin level privileges to run.

The Mandiant research team was able to discover the new malware by analyzing the boot profile of the ESXi hypervisor. They identified two backdoors that installed by the attackers. The first backdoor called the “VirtualPita” and the second called the “VirtualPIE.”

The malware package contains backdoors that allow an attacker to install additional backdoors on an ESXi hypervisor. These backdoors can allow for persistent access to the hypervisor and can execute arbitrary commands on guest VMs.

The ESXi hypervisor is based on an operating system that is like Linux. However, it differs in that it has its own OS and filesystem, known as the VMkernel.

Countermeasures to mitigate the success or impact of jackpotting

ESXi hypervisors are becoming increasingly targeted by ransomware attacks. ESXi is a software platform that designed for large IT environments. It is not a traditional operating system, but instead runs on server hardware. VMware ESXi provides an in-memory filesystem for virtual machines. ESXi also has a TPM chip that protects some settings from tampering.

One of the key vulnerabilities is the Remote Code Execution (RCE) vulnerability. The RCE vulnerability allows hackers to run malicious commands on a machine that has compromised. This can then encrypt all the machines that connected to that machine. Aside from encrypting all the files on the ESXi host, the malware will encrypt all of the files on the vmdk of each of the attached datastores.

Another way for attackers to leverage the RCE vulnerability is to write a custom binary to the host. This is possible, and there are tools that allow you to upload a custom binary to an ESXi host.


The recent report from Mandiant describes new malware families targeting VMware ESXi hypervisors. The malware is design to target the vmfs/volumes datastore path, and can use by threat actors to move files between hypervisors and guest machines.

The report also warns that if the threat actors able to maintain persistent administrator access to the ESXi hypervisor, they can execute arbitrary commands on the VM guests. This could allow the attacker to do things like install custom binaries or create startup tasks on the guest VMs.

The Mandiant report notes that the attack requires full administrator access to the ESXi hypervisor. They also note that the attack is like the state-sponsored threat actors that have attacked network appliances. They use SSH to gain interactive access to the environment, and list the running processes before encrypting them.

The Mandiant researchers discovered two different malware families. One called VirtualPITA, which consists of a backdoor that provides the attacker with persistent admin access to the hypervisor. The other called VirtualGATE, which incorporates a memory-only dropper that runs commands between hypervisor hosts.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs' risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey...

Vulnerability Prediction with Machine Learning

Vulnerability Prediction with Machine Learning

Advance vulnerability prediction with machine learning. Explore how AI can enhance proactive cybersecurity measures to mitigate potential risks. Machine learning is a field devoted to understanding and building methods that let machines “learn” – that is, methods that...

Recent Case Studies

Mid-size US based firm working on hardware development and provisioning, used DevOps-as-a-...
One of the fastest growing providers of wealth management solutions partnered to build a m...
A US based software startup working on the advancements in genomics diagnostics and therap...

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us