VirtualPita, VirtualPie – new malware backdoors VMware ESXi servers to hijack virtual machines

UNC3886 attack on ESXi machines
source: Mandiant

The malicious actors found the new method of taking over the control of VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection. Attackers are using malicious vSphere Installation Bundles (“VIBs”) to install multiple backdoors across ESXi hypervisors. The malware is hidden in VIB payloads.

Researchers from Mandiant (acquired by Google) which is a cyber threat intelligence company in an incident response engagement earlier this year discovered that threat actor used malicious vSphere Installation Bundles (VIBs) to deliver the VirtualPita and VirtualPie malware. Hacker was able to take the following actions:

  • Maintain persistent administrative access to the hypervisor
  • Send commands to the hypervisor that will be routed to the guest VM for execution
  • Transfer files between the ESXi hypervisor and guest machines running beneath it
  • Tamper with logging services on the hypervisor
  • Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor

VMware VIBs are packages of files for creating or maintaining an ESXi image. Since ESXi utilizes an in-memory filesystem, file edits are not saved across reboots. VIBs are generally used by administrators to create creating startup tasks, firewall rules, or running binaries when the machine restarts, however, this attacker was seen leveraging the packages as a persistence mechanism to maintain access across ESXi hypervisors.

VMware creates four acceptance levels for VIBs:

  • VMWareCertified (certified)
  • VMwareAccepted (accepted)
  • PartnerSupported (partner)
  • CommunitySupported (community)

Vmware set the rule that the minimum acceptable level for a VIB to be installed on the ESXi host is PartnerSupported. Researchers observed that the threat actor, tracked as UNC3886, modified the acceptance level in the XML descriptor for the VBI from community to partner. As CommunitySupported level indicates that VIB was created by a third party and did not pass review or acceptance by VMware or its trusted partners.

UNC3886 – modified XML descriptor in malicious VIB file
source: Mandiant

Although the ESXi system did not allow to install of VIB with a falsified acceptance level, the hacker used --force flag to install the malicious VIB.

This type of attack requires administrative privileges to the hypervisor. Please make sure you will follow the VMware hargerind guide and common sense.


VIRTUALPITA is a 64-bit passive backdoor that creates a listener on a hardcoded port number on a VMware ESXi server. The researchers pointed out that the backdoor often impersonates a legitimate service by using VMware service names and ports. It allows the execution of arbitrary commands, uploads, and downloads files, as well as starting and stopping the logging mechanism (‘vmsyslogd ‘).


VirtualPie is lightweight backdoor malware written in Python. It spawns a daemonized IPv6 listener on a hardcoded port on a VMware ESXi server.

More in-depth details are accessible on the Mandiant blog.

🔥Subscribe to the channel:🔥

🚨Read my blog:

➡️ ENTER TO WIN Exam Vouchers:

👊My Podcast:

🔥vExpert info:

🛒 VMware EMEA store:

🛒 VMware US store:

🛒 VMware APAC store:

Please leave the comment