A notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in North America’s retail, airline, and transportation sectors. The group, also called 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, uses a proven playbook centered on phone calls to an IT help desk to gain initial access.
The threat actors are aggressive, creative, and skilled in social engineering, bypassing even mature security programs. They conduct advanced social engineering attacks to obtain initial access to victim environments, then adopt a “living-off-the-land” approach by manipulating trusted administrative systems.
The attack chain unfolds over five phases, including initial compromise, reconnaissance, and privilege escalation, as well as pivoting to the virtual environment using mapped Active Directory to vSphere credentials. The attackers execute a persistent and encrypted reverse shell, enabling SSH connections on ESXi hosts, and resetting root passwords.
To counter these threats, organizations are advised to implement three layers of protections: enable vSphere lockdown mode, enforce execInstalledOnly, use vSphere VM encryption, decommission old VMs, and harden the help desk. Additionally, implementing phishing-resistant multi-factor authentication, centralizing and monitoring key logs, isolating backups from production Active Directory, and re-architecting systems with security in mind are recommended.
Google warns that ransomware aimed at vSphere infrastructure poses a uniquely severe risk due to its capacity for immediate and widespread infrastructure paralysis. Organizations must proactively address these interconnected risks by implementing mitigations to avoid targeted attacks that can swiftly cripple their virtualized infrastructure, leading to operational disruption and financial loss.
Source: https://thehackernews.com/2025/07/scattered-spider-hijacks-vmware-esxi-to.html