Investigating Novel Malware Persistence Within ESXi Hypervisors

February 10, 2023

Researchers recently identified a new form of novel malware that has designed specifically to target ESXi hypervisors. In addition to providing persistent access to a host, the malware has features built in to facilitate additional activity. The Mandiant researchers suggest that VMware customers should investigate their environments and apply defensive security techniques to keep their hypervisors secure.

Researchers identify new novel malware that targets ESXi

Researchers have discovered a new malware ecosystem that targets ESXi hypervisors. This ecosystem includes two backdoors and a memory-only dropper that target Windows and Linux virtual machines.

The attackers used a ‘–force’ flag to install the malicious VIBs. These packages allow administrators to maintain access to ESXi hypervisors, execute custom binaries, and create startup tasks.

The ecosystem also allows the threat actor to transfer files and modify logging services. While the malware may not have developed by a recognized hacking group, the techniques used by the attackers are likely to picked up by other hackers.

The malicious vSphere Installation Bundles have installed on ESXi hypervisors by a China-based threat actor. These bundles include two new backdoors that allow the attacker to maintain administrative access to the ESXi hypervisor.

ESXi hosts allow attackers to maintain persistent access to the hypervisor

Mandiant cybersecurity researchers recently identified a new malware ecosystem targeting VMware ESXi hypervisors. According to the report, this new family of specialized malware uses specialized techniques to infiltrate virtualization solutions.

The malware family, which has not assigned a CVE number, targets Linux and Windows guest machines. It is also capable of arbitrary command execution and file download and upload.

The malware written in Python and disguises itself as a legitimate service. It consists of a 64-bit passive backdoor with a reverse shell capability. It supports file download and transfer and designed to evade vSphere EDR detection.

The malware’s obfuscation methods rarely seen, and its anti-analysis capabilities are rare, according to the report. It used in conjunction with a sophisticated campaign, allowing the threat actor to survive under the hypervisor.

ESXi system does not allow for falsified VIB file to installed below the minimum set acceptance level

When using ESXi to manage VMware virtual systems, users may want to take a close look at the system’s acceptance level. Generally, an ESXi system will not allow for the installation of a falsified VIB file below the minimum set acceptance level. This is because an ESXi system designed to enforce a security policy that prohibits running code that not signed by VMware.

One way to determine the acceptance level is to run a mandiant test. This test will show you the highest level of acceptance for a given ESXi host.

While the mandiant test will show you the best level for a given ESXi host, it will not tell you whether it’s the right level for you. To determine your acceptance level, you can run several ESXCLI commands.

ESXi backdoors have features built in to them to conduct additional activity

Earlier this year, Mandiant researchers uncovered two new malware families targeting VMware ESXi hypervisors. These malicious vSphere Installation Bundles (VIBs) install backdoors on ESXi hypervisors, and facilitate the installation of custom binaries, startup tasks, and firewall rules. These specialized malware packages allow attackers to maintain persistent access to VMware ESXi hosts.

These backdoors allow for file transfer, file upload, and arbitrary command execution. Some variants also listen for commands on the Virtual Machine Communication Interface or on a hardcoded port number.

The Mandiant report also mentions the presence of a never-before-seen technique that used to avoid detection by EDR. By editing a signature file, the attacker made the VBI appear to created by a trusted entity. Then, the bash shell triggered. The resulting python script called to target a particular guest machine.

VMware advises customers to audit their environments and apply defensive security techniques

There are two new malware families that are targeting VMware ESXi hypervisors. One family called VIRTUALPIE and the other called VIRTUALGATE. They allow attackers to perform arbitrary commands on guest machines.

Both novel malware families require that an attacker have full administrative privileges on the ESXi hypervisor. This can do through any number of ways. These attacks likely caused by operational security weaknesses on the victim organizations.

The first malware family, dubbed VIRTUALPIE, allows threat actors to execute arbitrary commands on the target guest machine. This accomplished through a python script that runs a bash shell. The script then specifies a specific target VM.

The second malware family, dubbed VIRTUALGATE, used for transferring files between ESXi hypervisors and guest machines. It is also possible for the attacker to tamper with the logging services.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us