Chinese-speaking threat actors likely leveraged a compromised SonicWall VPN appliance as an initial access vector and then deployed a VMware ESXi exploit that developers may have created as early as February 2024.
In December 2025, cybersecurity firm Huntress observed the malicious activity and intervened before the operation reached its final stage. As a result, the firm said the intrusion could have escalated into a ransomware attack if left unchecked.
Exploitation of VMware ESXi Zero-Day Vulnerabilities
Most notably, the attackers exploited three VMware vulnerabilities that Broadcom disclosed as zero-days in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). By successfully exploiting these flaws, a malicious actor with administrative privileges could leak memory from the Virtual Machine Executable (VMX) process or execute arbitrary code within the VMX process.
That same month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog after identifying evidence of active exploitation.
“The toolkit analyzed […] also includes simplified Chinese strings in its development paths, including a folder named ‘全版本逃逸–交付’ (translated: ‘All version escape – delivery’), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware’s public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region,” researchers Anna Pham and Matt Anderson said.
Huntress based its assessment that the toolkit weaponizes the three VMware vulnerabilities on the exploit’s behavior, its use of Host-Guest File System (HGFS) for information leakage, Virtual Machine Communication Interface (VMCI) for memory corruption, and shellcode that escapes to the kernel, the company added.
The toolkit includes multiple components, with “exploit.exe” (also known as MAESTRO) serving as the primary orchestrator of the virtual machine (VM) escape. Specifically, MAESTRO relies on the following embedded binaries:
- devcon.exe, which disables VMware’s guest-side VMCI drivers
- MyDriver.sys, an unsigned kernel driver that contains the exploit and loads into kernel memory using the open-source Kernel Driver Utility (KDU); afterward, the tool monitors exploit status and re-enables the VMCI drivers
VM Escape exploitation flow
Multi-Stage Payload Deployment
The driver’s core function involves identifying the exact ESXi version running on the host and triggering exploits for CVE-2025-22226 and CVE-2025-22224. Ultimately, this process allows the attacker to write three payloads directly into VMX memory:
- Stage 1 shellcode, which prepares the environment for the VMX sandbox escape
- Stage 2 shellcode, which establishes a foothold on the ESXi host
- VSOCKpuppet, a 64-bit ELF backdoor that provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets) port 10000
“After writing the payloads, the exploit overwrites a function pointer inside VMX,” Huntress explained. “It first saves the original pointer value, then overwrites it with the address of the shellcode. The exploit then sends a VMCI message to the host to trigger VMX.”
VSOCK communication protocol between client.exe and VSOCKpuppet
“When VMX handles the message, it follows the corrupted pointer and jumps to the attacker’s shellcode instead of legitimate code. This final stage corresponds to CVE-2025-22225, which VMware describes as an ‘arbitrary write vulnerability’ that allows ‘escaping the sandbox.’”
VSOCK-Based Backdoor and Lateral Control
Because VSOCK provides a direct communication channel between guest virtual machines and the Hypervisor, the threat actors deployed a “client.exe” (also known as the GetShell Plugin). Attackers can run this tool from any guest Windows VM on the Compromised host to send commands to the infected ESXi system and interact with the backdoor. Notably, the PDB path Embedded in the binary suggests developers created it as early as November 2023.
The client enables operators to download files from ESXi to the VM, upload files from the VM to ESXi, and execute shell commands directly on the Hypervisor. Interestingly, the Attackers drop the GetShell Plugin onto the Windows VM as a ZIP archive (“Binary.zip”), which also contains a README file with detailed usage instructions. This Artifact offers insight into the toolkit’s file transfer and command execution capabilities.
Attribution and Targeted Distribution
Although investigators have not identified the individuals or group behind the toolkit, Huntress Theorized that the use of Simplified Chinese, combined with the Sophistication of the attack chain and the Exploitation of Zero-day Vulnerabilities months before public disclosure, strongly suggests a Well-resourced developer operating in a Chinese-speaking region.
“This intrusion demonstrates a sophisticated, multi-stage attack chain designed to escape virtual machine isolation and compromise the underlying ESXi hypervisor,” the company added. “By chaining an information leak, memory corruption, and sandbox escape, the threat actor achieved what every VM administrator fears: full control of the hypervisor from within a guest VM.”
“The use of VSOCK for backdoor communication is particularly concerning, as it bypasses traditional network monitoring entirely, making detection significantly harder. The toolkit also prioritizes stealth over persistence.”
Pham, a senior Tactical response analyst at Huntress, told The Hacker News that investigators found no evidence Indicating that sellers Advertised or sold the toolkit on dark web forums, noting instead that Attackers Deployed it in a highly targeted manner.
“However, given the presence of a README file with operational instructions, the toolkit was clearly designed for distribution beyond the original developer,” Pham said. “We assess with high confidence that the toolkit is being sold privately by a Chinese-speaking developer, likely through private channels or closed groups rather than public underground markets.”
“The targeted nature of observed deployments suggests the toolkit may be distributed selectively to vetted buyers rather than broadly commercialized, consistent with higher-end offensive tooling that operators prefer to keep out of widespread propagation to avoid detection signature development.”
Source: TheHackerNews
Read more at Impreza News
