The infamous cybercriminal group known as scattered spiders is targeting VMware ESXi hypervisors in attacks targeting North American retail, airline and transportation sectors.
“The group’s core tactics are consistent and do not rely on software exploits. Instead, we use proven playbooks centered around calling the IT help desk,” Google’s Mandiant team said in an extensive analysis.
“Actors are offensive and creative, especially skilled at bypassing mature security programs using social engineering. The attacks are not opportunistic, but are precise, campaign-driven operations targeting the organization’s most important systems and data.”
Also known as 0ktapus, Muddled Libra, Oct Tempest, and UNC3944, threat actors adopt a “LOTL) approach by implementing sophisticated social engineering attacks to gain initial access to the victim environment, operate trusted management systems, and leverage Active Directory controls to the VMWare environment.
Google said the method, which provides a pathway for data removal and ransomware deployment directly from the hypervisor, is “very effective” as it bypasses security tools and leaves almost a trace of compromise.
The attack chain unfolds in five different phases –
- Early compromises, reconnaissance, and privilege escalation allow threat actors to gather information related to IT documents, support guides, organizational charts, and VSphere administrators, and enumerate credentials from password managers such as Hashicorp Vault and other Privileged Access Management (PAM) solutions. The attacker has been found to make additional calls to the company’s IT help desk, impersonating a valuable administrator, and requesting a password reset to gain control of the account.
- Pivot into the virtual environment using mapped Active Directory for VSphere credentials and gain access to the VMware VCenter Server Appliance (VCSA).
- Enabling SSH connections on the ESXI host, resetting the root password, and running what is called a “disk swap” attack to extract the NTDS.DIT Active Directory database. This attack works by powering up a Domain Controller (DC) virtual machine (VM) and removing the virtual disk. After copying the NTDS.DIT file, the entire process reverses and the DC powers up.
- Weaponize access to delete backup jobs, snapshots, and repositories to block recovery
- Push custom ransomware binaries over SCP/SFTP using SSH access to an ESXI host
“The UNC3944 Playbook requires a fundamental change in defensive strategies that move from EDR-based threat hunting to a move from a proactive, infrastructure-centric defense,” Google said. “This threat differs from traditional Windows ransomware in two ways: speed and stealth.”
The technology giant called for “extreme speed” for threat actors, saying that data stripping from initial access and the entire infection sequence from the final ransomware deployment could occur within hours.
According to Palo Alto Networks Unit 42, the scattered spider actors are not only proficient in social engineering, but are partnering with the Dragonforce (aka Slippery Scorpius) ransomware program, excluding more than 100 GB of data over two days.
To combat such threats, organizations recommend following three layers of protection –
- Enable vSphere lockdown mode, enforce execInstalledonly, use vSphere VM encryption, obsolete old VMs, and strengthen your help desk
- Implements multifactor authentication (MFA) for phishing resistance, isolating critical identity infrastructure and avoiding authentication loops
- Centralize and monitor your keylogs, separate backups from the production Active Directory, and make sure you have no access to compromised administrators
Google is also urging organizations to reorganize their systems with security in mind when migrating from VMware VSphere 7 to approach end of life (EOL) in October 2025.
“Ransomware targeting VSphere infrastructure, including both ESXI hosts and vCenter servers, poses its own serious risks due to the ability to paralyze the infrastructure instantly and broadly,” Google said.
“Unable to actively address these interconnected risks by implementing these recommended mitigations will expose organizations to targeted attacks that could quickly cripple the entire virtualized infrastructure, leading to operational disruption and financial losses.”
