Scattered Spider Hijacks VMware ESXi to Deploy Ransomware Across Critical Infrastructure
July 30th, 2025
High
Our Cyber Threat Intelligence Unit has identified a coordinated campaign by the threat actor Scattered Spider (also tracked as UNC3944, 0ktapus, Muddled Libra, and Octo Tempest) targeting VMware ESXi hypervisors and related virtualization infrastructure across North America. This group uses aggressive social engineering tactics, including impersonating IT help desks and SIM swapping, to compromise privileged accounts. Once inside, attackers move from user-level access to the virtualization layer, deploying ransomware and extracting domain controller data directly from hypervisor-managed systems.
This campaign is notable for its stealth, precision, and persistence after compromise, impacting the retail, airlines, transportation sectors and more. The attackers bypass traditional endpoint defenses by exploiting visibility gaps in virtualization layers, making detection and response difficult.
Technical Details
Scattered Spider’s campaign against VMware ESXi environments is a multi-stage intrusion chain combining credential compromise, hypervisor-level manipulation, and ransomware deployment. The threat actor demonstrates strong familiarity with enterprise infrastructure and virtualization technologies, escalating privileges and maintaining access through advanced persistence techniques.
Attack Type: Ransomware Campaign (Credential Theft, Reconnaissance, and Infrastructure Hijack)
Severity: High
Delivery Method and Attack Life-cycle:
Initial Access: Gained through social engineering, including impersonated IT help desk calls and SIM swapping, enabling takeover of identity provider and MFA accounts.
Privilege Escalation: Abuse of Active Directory to create an “ESX Admins” group, triggering CVE-2024-37085 to gain ESXi admin access without local credentials.
Post-Exploitation & Persistence: Attackers enable SSH, reset root credentials, and modify GRUB to avoid detection while using Teleport for encrypted remote access.
Lateral Movement: Domain controller disks are detached and mounted on attacker-controlled VMs to extract NTDS.dit and other sensitive files.
Ransomware Deployment: Ransomware is executed from the hypervisor layer, bypassing EDR. Snapshots and backups are deleted to prevent recovery.
Impact
Operational Disruption: Encryption of ESXi-hosted VMs halts critical services across sectors.
Data Breach: Theft of Active Directory databases and sensitive internal documentation.
Financial Loss: Ransom payments, system downtime, and recovery costs.
Reputational Damage: Public disclosures of breaches, extortion threats, and loss of trust.
Long-Term Persistence: Long-term access through modified infrastructure and backdoors.
Detection Method
Monitor for Help Desk Abuse: Track password reset requests, particularly for privileged accounts.
Audit vCenter & ESXi Logs: Check for GRUB modifications, SSH enablement, and root password resets.
Watch for Disk-Swap Behaviour: Alert on VM disk detachment and reattachment to unauthorized VMs.
Detect Teleport Usage: Monitor for outbound traffic patterns consistent with Teleport C2 or other encrypted reverse shells.
Track Backup Deletions: Monitor for sudden removal or disabling of snapshot and backup jobs, as they could indicate ransomware staging.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Disable Phone-Based Resets: Prioritize privileged accounts by enforcing in-person or secure MFA resets.
Harden vCenter & ESXi Access: Disable SSH by default, enforce MFA, and restrict access to management interfaces.
Implement VM Encryption: Prevent unauthorized access to virtual disks and sensitive data.
Enable Remote Audit Logging: Forward logs from vCenter and ESXi to centralized SIEM platforms.
Conduct Red Team Exercises: Simulate social engineering and virtualization-layer attacks to evaluate defenses.
Review Documentation Exposure: Limit internal access to IT guides, organization charts, and admin credentials.
Conclusion
This campaign demonstrates a strategic evolution in ransomware operations, with Scattered Spider moving beyond endpoint compromise to directly attack virtualization infrastructure. By combining human-centered attack techniques with technical exploitation of the hypervisor layer, the group bypasses traditional defenses and leaves minimal forensic evidence. We urge organizations to prioritize identity and virtualization security, harden help desk processes, and deploy advanced detection for virtualization environments to counter this threat.