Chinese-speaking threat actors are believed to have abused a compromised SonicWall VPN appliance to gain initial access and deploy a sophisticated VMware ESXi virtual machine escape exploit. According to cybersecurity firm Huntress, the exploit may have been under development as early as February 2024.
Huntress detected the malicious activity in December 2025 and successfully disrupted the attack before it reached its final phase. Researchers noted that if the intrusion had continued, it could have resulted in a ransomware incident targeting the ESXi hypervisor.
Abuse of VMware Zero-Day Vulnerabilities
The attack chain is believed to have leveraged three VMware ESXi vulnerabilities that Broadcom publicly disclosed as zero-days in March 2025:
- CVE-2025-22224, CVSS 9.3
- CVE-2025-22225, CVSS 8.2
- CVE-2025-22226, CVSS 7.1
Successful exploitation allows attackers with administrative privileges to leak memory from the Virtual Machine Executable (VMX) process or execute arbitrary code under the VMX context.
In the same month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added these flaws to its Known Exploited Vulnerabilities catalog, confirming active exploitation in real-world attacks.
Indicators of Chinese-Origin Development
Huntress researchers Anna Pham and Matt Anderson identified simplified Chinese strings within the exploit toolkit’s development paths. One folder was labeled “全版本逃逸–交付”, translated as “All version escape delivery”. Evidence suggests the toolkit may have been weaponized more than a year before VMware publicly disclosed the vulnerabilities, indicating access to significant technical resources.
Analysis shows the exploit abuses Host-Guest File System (HGFS) mechanisms for information disclosure, Virtual Machine Communication Interface (VMCI) for memory corruption, and kernel-level shellcode to escape the VM sandbox.
Multi-Stage VM Escape Toolkit
At the core of the toolkit is a component named exploit.exe, also referred to as MAESTRO, which coordinates the virtual machine escape process. It relies on several embedded binaries:
devcon.exe, used to disable VMware guest-side VMCI driversMyDriver.sys, an unsigned kernel driver containing the exploit logic- Kernel Driver Utility (KDU), an open-source loader used to inject the driver into kernel memory
After loading, the driver determines the exact ESXi version running on the host and triggers exploits for CVE-2025-22224 and CVE-2025-22226. This enables the attacker to write three payloads directly into VMX memory:
- Stage 1 shellcode to prepare the VMX sandbox escape
- Stage 2 shellcode to establish control over the ESXi host
- VSOCKpuppet, a 64-bit ELF backdoor providing persistent remote access via VSOCK port 10000
Once the payloads are written, the exploit overwrites a function pointer within VMX, preserving the original value before redirecting execution to attacker-controlled shellcode. A crafted VMCI message then triggers execution, exploiting CVE-2025-22225, which VMware categorizes as an arbitrary write vulnerability enabling sandbox escape.
Stealthy Backdoor Communication via VSOCK
To interact with the compromised hypervisor, threat actors deploy a client tool named client.exe, also known as the GetShell Plugin. This tool can be executed from any guest Windows VM on the infected host and communicates with the ESXi backdoor using VSOCK.
The plugin supports file uploads, file downloads, and command execution on the hypervisor. It is delivered as a ZIP archive named Binary.zip, which also contains a README file explaining its usage. Metadata embedded in the binary indicates development activity as early as November 2023.
Attribution and Security Implications
While attribution remains unconfirmed, the use of simplified Chinese language artifacts, combined with the early abuse of zero-day vulnerabilities and the complexity of the exploit chain, strongly suggests a well-funded developer operating in a Chinese-speaking region.
Huntress described the intrusion as a highly advanced, multi-stage attack designed to defeat virtual machine isolation. By chaining information leakage, memory corruption, and sandbox escape techniques, the attackers achieved full control of the ESXi hypervisor from within a guest VM.
The use of VSOCK for command and control is especially concerning, as it bypasses traditional network monitoring entirely, making detection significantly more difficult and prioritizing stealth over long-term persistence.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
