A threat actor known as Fire Ant is conducting a sophisticated cyber espionage campaign targeting virtualization and networking infrastructure, including VMware ESXi and vCenter. The attack demonstrates advanced persistence, stealth, and flexibility, exploiting known vulnerabilities and bypassing segmentation controls. #FireAnt #UNC3886 #VMwareVCenter #VIRTUALPITA #CyberEspionage
Keypoints
- Fire Ant has targeted VMware ESXi, vCenter, and network appliances in ongoing cyber espionage campaigns.
- The threat actor exploited known vulnerabilities CVE-2023-34048 and CVE-2023-20867 to gain and maintain access.
- Fire Ant deploys persistent backdoors, Python implants, and framework like V2Ray for tunneling and control.
- The attackers can break network segmentation and re-establish access by deploying unregistered virtual machines and modifying network configs.
- The campaign highlights the importance of visibility and detection at the hypervisor and infrastructure layers due to limited telemetry and detection in targeted systems.
Read More: https://thehackernews.com/2025/07/fire-ant-exploits-vmware-flaw-to.html