Table of Contents
A sophisticated and highly targeted cyber-attack campaign has been identified by security researchers in Google’s Threat Intelligence Group (GTIG).
A new report has revealed how the financially motivated threat group UNC3944, also known as Scattered Spider, has pivoted its operations to exploit VMware vSphere environments across the US retail, airline and insurance sectors.
Scattered Spider actors have also adopted an aggressive, low-exploit playbook focused on social engineering and infrastructure abuse.
Their strategy begins with phone-based impersonation to breach IT help desks, ultimately enabling access to Active Directory. From there, attackers methodically map administrative systems, escalate privileges and move laterally into the virtual infrastructure, without triggering traditional endpoint defenses.
Direct Hypervisor-Level Attacks
In an advisory published last week, the GTIG reported that UNC3944 has developed an attack model that bypasses conventional detection by compromising the vSphere virtualization layer. Once inside, the group hijacks vCenter administrative access and abuses legitimate tools to control hypervisors, manipulate virtual disks and install persistent backdoors.
Their technique involves taking over VMware vCenter Server, rebooting it into single-user mode and deploying Teleport, a legitimate remote access tool configured to maintain covert control. Then, they pivot into ESXi hosts to steal credential databases and launch ransomware directly from the hypervisor level, rendering in-guest security tools ineffective.
Read more on VMware-focused attacks: VMware Warns Customers to Patch Actively Exploited Zero-Day Vulnerabilities
Key Targets and Methods
UNC3944’s campaign is marked by several high-impact tactics:
-
Social engineering IT help desks to reset passwords of privileged accounts
-
Hijacking vSphere Admin roles to access VMware vCenter
-
Using “orphaned” virtual machines to mount and copy domain controller disks
-
Disabling backup systems before deploying ransomware
-
Executing ransomware from the ESXi shell to encrypt entire environments
These attacks are fast and stealthy. GTIG warned that from initial access to ransomware deployment, the full chain may unfold in mere hours.
Defensive Measures and Industry Outlook
The research emphasizes a shift from reactive endpoint detection to proactive infrastructure hardening.
GTIG outlined a three-pillar defense strategy, proactive configuration, architectural segregation and advanced SIEM detection. They recommended disabling direct ESXi shell access, encrypting VM data, isolating backup systems and enforcing phishing-resistant multi-factor authentication.
“The threat is immediate, and the attack chain is proven,” the report concluded. “Successful hypervisor-level tactics leveraged by groups like UNC3944 are no longer exclusive; these same TTPs are now being actively adopted by other ransomware groups. This proliferation turns a specialized threat into a mainstream attack vector, making the time to act now.”
