New findings from Sygnia reveal an ongoing espionage campaign, dubbed Fire Ant, that has been active since early 2025. As part of Sygnia’s investigation into Fire Ant, the company found the tooling and techniques closely align with prior espionage campaigns conducted by a China-linked espionage group, UNC3886, currently active in Singapore. Fire Ant’s overlap with UNC3886 includes specific binaries and exploitation of VMware vCenter and ESXi vulnerabilities, as well as similar targeting of critical infrastructure across regions.
The cyber adversary is said to be actively leveraging advanced methods to gain access to virtualization and networking environments by creating multi-layer attack kill chains to infiltrate restricted and segmented network assets that were considered to be within isolated environments.
The operation targets virtualization and networking infrastructure, primarily VMware ESXi, vCenter environments, and network appliances. The threat actor employed a combination of advanced, stealthy techniques to construct multilayered attack chains, enabling access to restricted and segmented assets, including networks presumed to be isolated. Even after eradication efforts, the attacker demonstrated persistence and adaptability, adjusting in real time to containment measures to maintain access to compromised systems.
Sygnia observed tooling and techniques that closely mirror those seen in earlier campaigns linked to UNC3886, including overlaps in specific binaries, exploitation of vCenter and ESXi vulnerabilities, and a focus on similar industry sectors. The campaign highlights the critical need for visibility and detection at the hypervisor and infrastructure level, where traditional endpoint security tools offer limited protection.
After tracking and responding to multiple Fire Ant incidents, primarily targeting VMware ESXi, vCenter, and network appliances, the team observed the group’s ability to establish initial access and maintain long-term, stealthy persistence. Fire Ant shows a high degree of resilience, actively adapting to containment efforts by rotating toolsets, deploying redundant backdoors, and manipulating network configurations to regain control of compromised systems.
“Fire Ant shows incredible advanced capabilities to infiltrate and conduct espionage campaigns, avoiding detection and multi-layered traditional security measures by targeting infrastructure blind spots. This highlights the level of resilience and danger posed by nation-state threat actors to global critical infrastructure organisations,” Yoav Mazor, head of incident response for the APJ region at Sygnia, said in a Thursday media statement. “By gaining control over the virtualization management layer, the threat actor was able to extract service account credentials and deploy persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots.”
Mazor adds, “Fire Ant’s method of infiltration places heightened pressure on the cybersecurity community and underscores the importance of visibility and detection within the hypervisor and infrastructure layer, where traditional endpoint security tools often struggle to identify malicious activity. Organizations will need to adopt proactive cyber resilience with an advanced multi-layered security approach.”
Fire Ant’s activities have been characterized by infrastructure-centric tactics, techniques and procedures (TTPs) enabling activity beneath the detection threshold of traditional endpoint controls, emphasizing critical blind spots of conventional security stacks. The threat actor establishes control over a victim’s VMware ESXi hosts and vCenter servers to move laterally across an organization.
Additionally, Fire Ant consistently bypassed network segmentation by compromising network appliances and tunneling across segments, enabling the threat actor to bridge and move deeper within an organization’s infrastructure through legitimate, approved paths.
The threat actor demonstrated advanced capabilities in compromising and leveraging VMware infrastructure through a structured, multi-phase operation. They began by exploiting CVE-2023-34048 to achieve unauthenticated remote code execution on vCenter, gaining control over the virtualization management layer. From there, they extracted the ‘vpxuser’ service account credentials. They used them to access connected ESXi hosts, deploying multiple persistent backdoors on both the hosts and the vCenter to ensure continued access even after reboots.
With control of the hypervisor, the attacker then targeted guest virtual machines directly. They manipulated VMX processes and exploited CVE-2023-20867 to execute commands via PowerCLI without needing in-guest credentials. They also tampered with security tools and extracted credentials from memory snapshots, including those of domain controllers. The full-stack compromise enabled persistent, covert access from the hypervisor down to the guest operating systems, establishing a robust foothold across the virtual environment.
The team noted that the Fire Ant hacker group leveraged PowerCLI to execute commands inside guest virtual machines without the required in-guest authentication. This was achieved through the exploitation of CVE-2023-20867, a vulnerability in VMware Tools that permits unauthenticated host-to-guest operations, including command execution.
Mandiant researchers had in 2023 noted that a suspected Chinese cyber espionage actor, UNC3886, exploited an authentication bypass vulnerability CVE-2023-20867 on ESXi hosts to enable the execution of privileged commands on guest VMs with no additional logs generated on guest VMs.
Sygnia researchers added that the Fire Ant threat actor actively maneuvered through eradication efforts by leveraging pre-established redundant access paths into internal networks. As defenders cleaned systems and removed tools and persistence, the threat actor re-compromised assets.
“After re-compromising assets, the threat actor rotated the deployed toolsets, altered execution methods, and renamed binaries to avoid detection,” they said. “In addition, the threat actor investigated the response itself, reviewing logs, examining forensic tools, and in some instances renaming their payloads to impersonate the identified forensic tools. The threat actor’s actions demonstrated the need for a coordinated, system-wide eradication effort that eliminates all access vectors in a single, controlled operation, followed by thorough tailored monitoring to alert on any re-entry attempts.”
While Sygnia refrains from conclusive attribution, multiple aspects of Fire Ant’s campaign and most notably its unique tool set and attack vector targeting the VMware virtualization infrastructure strongly align with previous research on the threat group UNC3886.
The active working hours of the threat group throughout the incidents and minor input errors observed during command execution aligned with Chinese-language keyboard layouts, consistent with prior regional activity indicators.
Researchers noted that Fire Ant consistently targeted infrastructure systems such as ESXi hosts, vCenter servers, and F5 load balancers. The targeted systems are rarely integrated into standard detection and response programs. These assets lack detection and response solutions and generate limited telemetry, making them ideal long-term footholds for stealthy operation.
Fire Ant moved laterally by compromising infrastructure components that naturally bridge network boundaries. By tunneling through trusted services and pivoting from one network to another via legitimate paths, the threat actor reached highly restricted environments while evading traditional ACLs, firewall policies, and segmentation controls. By bridging these segmented environments, the threat actor gained the ability to operate freely within networks that were otherwise considered secure and trusted, effectively collapsing internal trust boundaries.
Fire Ant treated remediation as a temporary disruption rather than an end state. The group re-entered environments via redundant access points, retooled binaries to evade detection, and actively monitored defender activity to adjust tactics. In several cases, they re-compromised assets shortly after cleanup and used renamed tools to blend into forensic workflows, highlighting the need for coordinated, simultaneous eradication and complementing monitoring.
The team highlights that the activity uncovered in Fire Ant’s campaign underscores the urgent need to both harden and monitor virtualization infrastructure. Traditional security controls often overlook ESXi, vCenter, and related components, leaving critical gaps in visibility and response. Defenders must treat these systems as part of the active threat surface and ensure they are monitored and protected.
In response to the attack techniques leveraging VMware ESXi and vCenter infrastructure for espionage operations, defenders must adopt a proactive and layered security approach.
Sygnia recommends a set of strategies to strengthen the security and operational integrity of virtualization infrastructure by minimizing attack surfaces, preventing unauthorized access, and enforcing stricter controls. Organizations should ensure ESXi and vCenter servers are consistently updated with the latest security patches and enforce the use of strong, unique passwords for all administrative and root accounts. These credentials should be rotated regularly and securely stored, preferably using a Privileged Identity Management (PIM) system or a documented manual process, with a maximum rotation interval of 180 days.
Access to ESXi hosts should be restricted and managed primarily through vCenter, with firewall rules limiting vCenter access to approved jump servers or administrative subnets. Lockdown Mode should be enabled on ESXi hosts to prevent direct access via SSH, HTTPS, or the Direct Console User Interface, with exceptions granted only to essential tools and reviewed periodically. Enabling Secure Boot is also critical to block unauthorized or unsigned software from being installed, further securing the host environment.
