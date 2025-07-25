Sygnia, a cybersecurity firm, reported that a threat actor known as Fire Ant is targeting virtualization and networking infrastructure, The Hacker News reports.
According to the cybersecurity firms report, the activity observed this year is primarily intended to breach organizations' VMware ESXi and vCenter systems, along with network appliances. "The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments," Sygnia said. The threat actor appears to use similar tools and target the same systems as UNC3886, a China-linked cyber espionage group known for attacking edge devices and virtualization technologies since at least 2022. Fire Ant gains access to the virtualization management layer by exploiting CVE-2023-34048, a known vulnerability in VMware vCenter Server that UNC3886 reportedly used as a zero-day for years before Broadcom patched it in October 2023. "From vCenter, they extracted the 'vpxuser' service account credentials and used them to access connected ESXi hosts," Sygnia noted. "They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots. The backdoor filename, hash, and deployment technique aligned the VIRTUALPITA malware family," the cybersecurity firm added.
