Investigating Novel Malware Persistence Within ESXi Hypervisors

February 10, 2023

Researchers recently identified a new form of novel malware that has designed specifically to target ESXi hypervisors. In addition to providing persistent access to a host, the malware has features built in to facilitate additional activity. The Mandiant researchers suggest that VMware customers should investigate their environments and apply defensive security techniques to keep their hypervisors secure.

Researchers identify new novel malware that targets ESXi

Researchers have discovered a new malware ecosystem that targets ESXi hypervisors. This ecosystem includes two backdoors and a memory-only dropper that target Windows and Linux virtual machines.

The attackers used a ‘–force’ flag to install the malicious VIBs. These packages allow administrators to maintain access to ESXi hypervisors, execute custom binaries, and create startup tasks.

The ecosystem also allows the threat actor to transfer files and modify logging services. While the malware may not have developed by a recognized hacking group, the techniques used by the attackers are likely to picked up by other hackers.

The malicious vSphere Installation Bundles have installed on ESXi hypervisors by a China-based threat actor. These bundles include two new backdoors that allow the attacker to maintain administrative access to the ESXi hypervisor.

ESXi hosts allow attackers to maintain persistent access to the hypervisor

Mandiant cybersecurity researchers recently identified a new malware ecosystem targeting VMware ESXi hypervisors. According to the report, this new family of specialized malware uses specialized techniques to infiltrate virtualization solutions.

The malware family, which has not assigned a CVE number, targets Linux and Windows guest machines. It is also capable of arbitrary command execution and file download and upload.

The malware written in Python and disguises itself as a legitimate service. It consists of a 64-bit passive backdoor with a reverse shell capability. It supports file download and transfer and designed to evade vSphere EDR detection.

The malware’s obfuscation methods rarely seen, and its anti-analysis capabilities are rare, according to the report. It used in conjunction with a sophisticated campaign, allowing the threat actor to survive under the hypervisor.

ESXi system does not allow for falsified VIB file to installed below the minimum set acceptance level

When using ESXi to manage VMware virtual systems, users may want to take a close look at the system’s acceptance level. Generally, an ESXi system will not allow for the installation of a falsified VIB file below the minimum set acceptance level. This is because an ESXi system designed to enforce a security policy that prohibits running code that not signed by VMware.

One way to determine the acceptance level is to run a mandiant test. This test will show you the highest level of acceptance for a given ESXi host.

While the mandiant test will show you the best level for a given ESXi host, it will not tell you whether it’s the right level for you. To determine your acceptance level, you can run several ESXCLI commands.

ESXi backdoors have features built in to them to conduct additional activity

Earlier this year, Mandiant researchers uncovered two new malware families targeting VMware ESXi hypervisors. These malicious vSphere Installation Bundles (VIBs) install backdoors on ESXi hypervisors, and facilitate the installation of custom binaries, startup tasks, and firewall rules. These specialized malware packages allow attackers to maintain persistent access to VMware ESXi hosts.

These backdoors allow for file transfer, file upload, and arbitrary command execution. Some variants also listen for commands on the Virtual Machine Communication Interface or on a hardcoded port number.

The Mandiant report also mentions the presence of a never-before-seen technique that used to avoid detection by EDR. By editing a signature file, the attacker made the VBI appear to created by a trusted entity. Then, the bash shell triggered. The resulting python script called to target a particular guest machine.

VMware advises customers to audit their environments and apply defensive security techniques

There are two new malware families that are targeting VMware ESXi hypervisors. One family called VIRTUALPIE and the other called VIRTUALGATE. They allow attackers to perform arbitrary commands on guest machines.

Both novel malware families require that an attacker have full administrative privileges on the ESXi hypervisor. This can do through any number of ways. These attacks likely caused by operational security weaknesses on the victim organizations.

The first malware family, dubbed VIRTUALPIE, allows threat actors to execute arbitrary commands on the target guest machine. This accomplished through a python script that runs a bash shell. The script then specifies a specific target VM.

The second malware family, dubbed VIRTUALGATE, used for transferring files between ESXi hypervisors and guest machines. It is also possible for the attacker to tamper with the logging services.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs' risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey...

Vulnerability Prediction with Machine Learning

Vulnerability Prediction with Machine Learning

Advance vulnerability prediction with machine learning. Explore how AI can enhance proactive cybersecurity measures to mitigate potential risks. Machine learning is a field devoted to understanding and building methods that let machines “learn” – that is, methods that...

Recent Case Studies

Mid-size US based firm working on hardware development and provisioning, used DevOps-as-a-...
One of the fastest growing providers of wealth management solutions partnered to build a m...
A US based software startup working on the advancements in genomics diagnostics and therap...

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us