Chinese Hackers Exploit VMware ESXi Zero-Day to Backdoor Virtual Machines


Recently, a Chinese-sponsored hacking group, tracked as UNC3886 by cybersecurity firm Mandiant, has made headlines for exploiting a zero-day vulnerability in VMware ESXi to infiltrate Windows and Linux virtual machines (VMs) and steal sensitive data. In this blog post, we will delve into the details of the attack, the techniques employed by the hackers, and the implications for organizations in the targeted sectors.

The ESXi Zero-Day Exploitation

The cyber espionage group, UNC3886, leveraged the CVE-2023-20867 VMware Tools authentication bypass flaw to deploy VirtualPita and VirtualPie backdoors on guest VMs from compromised ESXi hosts. By escalating privileges to root on the compromised hosts, the attackers achieved full control over the virtual machines.

The Consequences of a Compromised ESXi Host

Once an ESXi host is fully compromised, the attackers could force VMware Tools to fail authentication, compromising the confidentiality and integrity of the guest VMs. This allowed the hackers to install backdoor malware using maliciously crafted vSphere Installation Bundles (VIBs), packages intended to assist administrators in creating and maintaining ESXi images.

The Role of VirtualGate Malware

During the investigation, Mandiant discovered a third malware strain called VirtualGate. This memory-only dropper was responsible for deobfuscating second-stage DLL payloads on the hijacked VMs. The open communication channel between the guest and host provided an avenue for persistence, allowing the attackers to regain access to a backdoored ESXi host as long as a backdoor was deployed and initial access to any guest machine was obtained.

UNC3886’s Sophisticated Techniques

UNC3886’s ability to exploit zero-day vulnerabilities in firewall and virtualization platforms without Endpoint Detection and Response (EDR) capabilities demonstrates their deep understanding and technical knowledge of ESXi, vCenter, and VMware’s virtualization platform. The group has been observed targeting organizations in the defense, government, telecom, and technology sectors in the United States and APJ regions.

The Chinese hackers’ utilization of new malware families and tailored malicious tools specific to the targeted platforms highlights their research capabilities and expertise in understanding complex technologies used by their victims. This sophistication makes it challenging to detect their activities, and it is likely that there are more victims who remain unaware of the ongoing breaches.

The Significance of UNC3886’s Espionage

UNC3886’s persistent and highly targeted cyber-espionage campaigns reveal their primary focus on governmental and government-related entities. The group’s successful compromises of organizations in the defense, technology, and telecommunications sectors, even those with mature security programs, underscore the severity of the threat they pose.


The recent exploitation of a VMware ESXi zero-day vulnerability by Chinese hackers has shed light on the sophisticated cyber-espionage capabilities possessed by UNC3886. Their utilization of advanced malware strains, deep understanding of targeted platforms, and ability to leverage zero-day vulnerabilities highlight the need for organizations to remain vigilant and adopt comprehensive security measures. With the ever-evolving landscape of cyber threats, it is crucial for both private and public entities to enhance their cybersecurity strategies to detect and mitigate such attacks effectively.

🔥Subscribe to the channel:🔥
🚨Read my blog:
👊My Podcast:
🔥vExpert info:
🛒 VMware EMEA store:
🛒 VMware US store:
🛒 VMware APAC store:

Please leave the comment