China-Linked Group Fire Ant Exploits VMware and F5 Flaws in 2025 Cyberattacks
TL;DR
The China-linked cyberespionage group Fire Ant has been exploiting VMware and F5 vulnerabilities since early 2025 to infiltrate secure systems. This group targets virtualization and networking infrastructure, employing sophisticated tactics to bypass security measures and maintain persistent access. Their operations align with previous campaigns attributed to UNC3886, highlighting a significant threat to cybersecurity.
Main Content
China-Linked Group Fire Ant Exploits VMware and F5 Flaws
The China-linked cyberespionage group, Fire Ant, has been exploiting VMware and F5 vulnerabilities to stealthily breach secure systems, according to a report by cybersecurity firm Sygnia.
Targeted Infrastructure
Since early 2025, Fire Ant has targeted virtualization and networking infrastructure, primarily focusing on VMware ESXi and vCenter environments. The group employs sophisticated, layered attack chains to access restricted networks that are believed to be isolated.
Persistent and Adaptive Attacks
Sygnia’s report highlights the group’s high degree of persistence and operational maneuverability:
“The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromised infrastructure.”
The report also notes that the tooling and techniques used by Fire Ant closely align with prior campaigns attributed to UNC3886. Technical overlaps include specific binaries and the exploitation of vCenter and ESXi vulnerabilities, as well as targeted verticals.
Deep Control Over VMware Environments
Fire Ant gained deep control over VMware ESXi and vCenter servers using unauthenticated host-to-guest commands and credential theft to access guest environments. The group bypassed network segmentation by compromising appliances and tunneling through legitimate paths. Their strategy adapted to containment efforts via toolset changes, persistent backdoors, and network manipulation. The campaign was uncovered through a vmtoolsd.exe
anomaly, pointing to host-based injection and revealing a broader, stealthy cyberespionage operation.
Exploiting Critical Vulnerabilities
In some cases, the attack chain began with the exploitation of the critical vCenter Server vulnerability CVE-2023-34048, which allowed attackers to gain unauthenticated remote code execution and take over the virtualization management layer.
vCenter Server: A Critical Component
vCenter Server is a crucial component in VMware’s virtualization and cloud computing software suite. It serves as a centralized and comprehensive management platform for VMware’s virtualized data centers. The vulnerability CVE-2023-34048, with a CVSS score of 9.8, is an out-of-bounds write vulnerability in the implementation of the DCERPC protocol.
Lateral Movement and Persistent Backdoors
Once the vCenter was compromised, Fire Ant moved laterally to ESXi hosts using stolen vpxuser
credentials, deploying persistent backdoors. With hypervisor control, they accessed guest VMs and exploited CVE-2023-20867 to run commands without credentials. The attackers also disabled security tools and extracted credentials from memory snapshots, including domain controllers.
“As ‘
vpxuser
’ is used by vCenter for core management tasks, it is exempt from lockdown mode restrictions. This allowed the threat actor to retain host-level access even when direct logins were disabled, gaining control over all connected ESXi hosts.”
The threat actor deployed a persistent backdoor binary on vCenter servers named ksmd
, located at /usr/libexec/setconf/ksmd
. The binary was configured to listen on TCP port 7475, enabling remote command execution and file operations.
Full-Stack Compromise
Fire Ant achieved full-stack compromise, maintaining covert access to guest OSes via the hypervisor and bypassing segmentation through trusted systems.
Compromising F5 Load Balancers
The cyberespionage group also compromised F5 load balancers by exploiting the flaw CVE-2022-1388 in the iControlREST API. This vulnerability allows an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. Attackers exploited this vulnerability to deploy a staging webshell to usr/local/www/xui/common/css/css.php
.
Webshell Deployment and Tunneling
The deployed webshell was then used to deploy additional webshells in the /xui/common/css/
directory. One of these webshells, a tunneling webshell, enabled bridging between networks connected to the load balancer.
Medusa Rootkit for Persistence
To maintain long-term access, the threat actor established stealthy persistence on key Linux pivot points by deploying a variant of the open-source Medusa rootkit. The Medusa rootkit enables an interactive shell and logs SSH credentials to a file named remote.txt
, serving both as a backdoor and a credential harvesting mechanism.
Resistance to Removal
Fire Ant showed strong resistance to removal efforts, re-entering systems via backup access paths and adapting tools to evade detection. They studied defenders’ actions, altered tactics, and even disguised malware as forensic tools.
“While Sygnia refrains from conclusive attribution, multiple aspects of Fire Ant’s campaign and most notably its unique tool set and attack vector targeting the VMware virtualization infrastructure strongly align with previous research on the threat group UNC3886.”
The active working hours of the threat group and minor input errors observed during command execution aligned with Chinese-language keyboard layouts, consistent with prior regional activity indicators.
Conclusion
The activities of the Fire Ant group highlight the ongoing threat posed by sophisticated cyberespionage operations. Their ability to adapt and persist despite containment efforts underscores the need for robust cybersecurity measures and continuous vigilance.
For more details, visit the full article: source
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, VMware)