TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

ESXi Exploitation in the Wild

2026-01-07 · Read original ↗

ATT&CK techniques detected

26 predictions
T1068Exploitation for Privilege Escalation
98%
"##mware vmci pci device to gain direct hardware access - devcon. exe disable “ root \ vmwvmcihostdev ” - disables vmware vmci host driver - kdu. exe - prv 1 - map mydriver. sys - leverages kernel driver utility ( kdu ) to bypass driver signature enforcement and load the unsigned …"
T1068Exploitation for Privilege Escalation
97%
"exploit - kdu. exe - kernel driver utility ( byod loader tool ) - devcon. exe - microsoft device console, a device management utility - drv64. dll - kdu support library figure 2 : maestro ' s main function showing the full attack sequence phase 1 : disabling vmware vmci drivers t…"
T1068Exploitation for Privilege Escalation
97%
"despite the sophistication of the vm escape, the attackers got in through a compromised sonicwall vpn. the basics still matter. - vm isolation is not absolute. hypervisor vulnerabilities can allow attackers to break out of guest vms and compromise all workloads on a host. - patch…"
T1068Exploitation for Privilege Escalation
97%
"mydriver. sys ” is unsigned, it cannot be loaded through normal means on systems with driver signature enforcement ( dse ) enabled. the exploit uses kdu ( kernel driver utility ), an open - source tool for loading unsigned drivers into kernel memory. - kdu. exe - prv 1 - map mydr…"
T1068Exploitation for Privilege Escalation
94%
"revealing pdb path that offers a glimpse into the threat actor ' s development environment : - c : \ users \ test \ desktop \ 2023 _ 11 _ 02 \ vmci _ vm _ escape \ getshell \ source \ client \ x64 \ release \ client. pdb the path tells us this was built on november 2, 2023, as pa…"
T1068Exploitation for Privilege Escalation
92%
"after successful exploitation ( status = = 2 ), the orchestrator re - enables the vmware vmci drivers. this restoration likely serves as the operational security, the vm continues functioning normally with vmware tools operational, reducing suspicion that anything malicious occur…"
T1055.001Dynamic-link Library Injection
88%
"##24, which vmware describes as a vulnerability that “ leads to an out - of - bounds write ”. figure 7 : writing data to vmx memory via backdoor channels so, the exploit writes three payloads into vmx memory : - stage 1 shellcode - stage 2 shellcode - elf backdoor the elf backdoo…"
T1068Exploitation for Privilege Escalation
83%
"the same host. why disable the vmci driver? the exploit driver needs to communicate directly with the vmci hardware using low - level i / o port instructions. if we look at “ mydriver. sys ” ( the malicious driver ), after locating the vmci device on the pci bus, it reads the dev…"
T1486Data Encrypted for Impact
81%
"esxi exploitation in the wild background in december 2025, huntress observed an intrusion leading to the deployment of vmware esxi exploits. based on indicators we observed, including the workstation name the threat actor was operating from and other ttps, the huntress tactical r…"
T1059.004Unix Shell
81%
"from the vm to esxi, and anything else is passed through as a shell command for execution on the hypervisor. interestingly enough, the binary folder includes a readme with usage instructions, giving us a direct look at the intended workflow. figure 15 : content of readme who did …"
T1559Inter-Process Communication
80%
"context id - 1 ( vmaddr _ cid _ any ), allowing any virtual machine on the host to communicate with it. the backdoor waits for a two - byte trigger “ ok ”, then forks a child process to handle commands. it supports three operations : get reads a file from the esxi host and sends …"
T1068Exploitation for Privilege Escalation
80%
"vm has its own vmx process. from an attacker ' s perspective, vmx is the first target for a vm escape because it processes untrusted input from the guest. however, vmx runs inside a sandbox on esxi, so compromising it requires an additional step to gain full host access. vmware e…"
T1059.012Hypervisor CLI
80%
"esxi exploitation in the wild background in december 2025, huntress observed an intrusion leading to the deployment of vmware esxi exploits. based on indicators we observed, including the workstation name the threat actor was operating from and other ttps, the huntress tactical r…"
T1055.001Dynamic-link Library Injection
75%
"output only displays process ids and generic descriptions like { no file name }, to identify the actual malicious binary, defenders need to dump the process memory for further analysis. mandiant has published detailed guidance on detecting vmci backdoors and esxi compromise in th…"
T1572Protocol Tunneling
70%
"##ppet of shellcode 2 vsockpuppet : vsock - based remote access vsockpuppet is a 64 - bit elf executable that provides persistent remote access to the esxi host. rather than using traditional network sockets, the backdoor communicates over vsock ( virtual sockets ), vmware ' s hi…"
T1497Virtualization/Sandbox Evasion
60%
"known offset ( 0x01590300 ) from the leaked pointer : - vmxbase = leakedptr - 0x01590300 the offset table stores a known address within vmx for each supported build. the leaked pointer points to a predictable location inside vmx. by subtracting this known offset, the exploit dete…"
T1564.006Run Virtual Instance
60%
"esxi exploitation in the wild background in december 2025, huntress observed an intrusion leading to the deployment of vmware esxi exploits. based on indicators we observed, including the workstation name the threat actor was operating from and other ttps, the huntress tactical r…"
T1059.012Hypervisor CLI
50%
"vm administrator fears : full control of the hypervisor from within a guest vm. the use of vsock for backdoor communication is particularly concerning, it bypasses traditional network monitoring entirely, making detection significantly harder. the toolkit also prioritizes stealth…"
T1564.006Run Virtual Instance
46%
"vm administrator fears : full control of the hypervisor from within a guest vm. the use of vsock for backdoor communication is particularly concerning, it bypasses traditional network monitoring entirely, making detection significantly harder. the toolkit also prioritizes stealth…"
T1055.001Dynamic-link Library Injection
44%
"targeting esxi. detection yara https : / / github. com / russianpanda95 / yara - rules / blob / main / esxiexploittoolkit / win _ mal _ getshellplugin. yar https : / / github. com / russianpanda95 / yara - rules / blob / main / esxiexploittoolkit / win _ mal _ maestro. yar https …"
T1497Virtualization/Sandbox Evasion
40%
", but inside a vmware vm, the hypervisor intercepts access to it and uses it as a command channel. this is how vmware tools implements features like clipboard sharing, drag - and - drop, and screen resizing. a large buffer of zeros ( ~ 50kb ) is sent through the channel, followed…"
T1055.001Dynamic-link Library Injection
39%
"aslr. since the offset table contains relative offsets rather than absolute addresses, the exploit must determine where vmx is loaded in memory before it can calculate the exact locations to write shellcode and corrupt structures. the function below performs a sequence of hgfs - …"
T1068Exploitation for Privilege Escalation
37%
"from the vm to esxi, and anything else is passed through as a shell command for execution on the hypervisor. interestingly enough, the binary folder includes a readme with usage instructions, giving us a direct look at the intended workflow. figure 15 : content of readme who did …"
T1068Exploitation for Privilege Escalation
34%
"vm administrator fears : full control of the hypervisor from within a guest vm. the use of vsock for backdoor communication is particularly concerning, it bypasses traditional network monitoring entirely, making detection significantly harder. the toolkit also prioritizes stealth…"
T1055.001Dynamic-link Library Injection
34%
"”. shellcode 1 stage 1 shellcode runs inside the vmx process and uses vmkernel syscalls to query kernel internals. the shellcode loops up to 4, 902 times searching for an object named “ general ”. then queries information about “ vmkernel ” and “ vmci ”. when found, it extracts t…"
T1210Exploitation of Remote Services
34%
"##firewall firewall add rule " name = block external outbound " dir = out action = block remoteip = 0. 0. 0. 0 - 255. 255. 255. 255 profile = any - netsh advfirewall firewall add rule " name = allow local network - 3 " dir = out action = allow remoteip = 172. x. x. x / 12 profile…"

Summary

Huntress outlines a complex, multi-step attack designed to break out of guest VMs and target the ESXi hypervisor, using potential zero-day vulnerabilities and sneaky VSOCK communication.