Table of Contents
A prolonged Chinese cyber espionage campaign is targeting VMware appliances to gain access to target networks, according to Sygnia researchers.
The campaign has been tracked since early 2025. The attackers, dubbed Fire Ant, have been observed using combinations of sophisticated and stealthy techniques to create multilayered attack kill chains, which facilitate access to restricted and segmented network assets.
The threat actor has demonstrated consistent targeting of virtualization and network infrastructure, particularly VMware infrastructure.
These systems are used as footholds for initial access, lateral movement and long-term persistence in victim networks.
“Fire Ant’s operations are characterized by infrastructure-centric TTPs, enabling activity beneath the detection threshold of traditional endpoint controls, highlighting critical blind spots of conventional security stacks,” the Sygnia researchers wrote in a blog dated July 24.
Multiple aspects of the Fire Ant campaign, including its unique tool set and targeting VMware virtualization infrastructure, strongly align with techniques used by a Chinese nation-state espionage group tracked by Mandiant as UNC3886.
“The active working hours of the threat group throughout the incidents and minor input errors observed during command execution aligned with Chinese-language keyboard layouts, consistent with prior regional activity indicators,” Sygnia added.
Read now: SharePoint ‘ToolShell’ Vulnerabilities Exploited by Chinese Nation-State Hackers
Gaining Access to Virtualization Infrastructure
As part of the campaign, Fire Ant exploited an out-of-bounds write vulnerability CVE-2023-34048 to achieve unauthenticated remote code execution on VMware’s vCenter, gaining control over the virtualization layer.
From this base, the attackers conducted a range of techniques to achieve persistence and lateral movement across target environments.
The actor deployed multiple backdoors on VMware ESXi hosts and the vCenter to maintain access across reboots.
With control over the hypervisor, the attacker interacted directly with guest virtual machines. This included executing commands via PowerCLI without in-guest credentials, tampering with security tools and extracting credentials from memory snapshots.
“This approach enabled full-stack compromise, providing persistent, covert access from the hypervisor to guest operating systems,” the researchers said.
Compromising Network Infrastructure
The attackers then set about discovering internal, isolated assets in target networks. This involved the use of sophisticated techniques to bypass segmentation boundaries and establish cross-segments persistence.
This including compromising F5 load balancers by exploiting CVE-2022-1388, a critical vulnerability in the iControlREST API that allows unauthenticated command execution.
This allowed the attackers to deploy webshells, including a tunneling webshell that enabled bridging between networks connected to the load balancer.
They also used commands to route traffic through trusted endpoints, enabling them to reach network-restricted assets without triggering firewall rules or segmentation controls.
Another approach observed by Fire Ant was to maneuver through eradication efforts by network defenders.
“As defenders cleaned systems and removed tools and persistence, the threat actor re-compromised assets. After re-compromising assets, the threat actor rotated the deployed toolsets, altered execution methods, and renamed binaries to avoid detection,” the researchers noted.
Indicators of Fire Ant Activity
The Sygnia report set out key indicators of Fire Ant activity that network defenders should monitor for. These include:
- Unexpected termination of ‘vmsyslogd’ process within ESXi
- Unauthorized execution of ‘vim-cmd’ or ‘esxcli’ commands
- Unique process execution on ESXi hosts
- Rogue virtual machine execution via the ‘vmx -x’ binary
- Guest command execution with ‘vmtoolsd.exe‘ as parent process
- Stale EDR agents on active virtual machines
