Chinese-speaking attackers are suspected of using compromised SonicWall VPN appliances as an initial access vector to deploy a VMware ESXi exploit that may have been developed in February 2024.
Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could reach its final stage, said it may have triggered a ransomware attack.
Most notably, this attack exploits three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1) It is believed that this was misused. Successful exploitation of this issue could allow a malicious attacker with administrative privileges to leak memory from a virtual machine executable (VMX) process or execute code as the VMX process.
That same month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
“Analyzed Toolkit […] “The development path also contains a string in Simplified Chinese that includes a folder named ‘Full version escape–delivery’ (translation: ‘Full version escape–delivery’), suggesting it may have been constructed as a zero-day exploit more than a year before VMware’s release, indicating that the resource-rich developer is likely operating in a Chinese-speaking country,” said researchers Anna Pham and Matt Anderson.
The company added that the assessment that the toolkit weaponizes three VMware shortcomings is based on the exploit’s behavior, use of host guest file system (HGFS) for information leakage, use of virtual machine communication interface (VMCI) for memory corruption, and shellcode escaping into the kernel.
The toolkit includes multiple components, the main one being ‘exploit.exe’ (also known as MAESTRO), which acts as an orchestrator of escape across virtual machines (VMs) by utilizing the following embedded binaries:
devcon.exe, an unsigned kernel driver that contains an exploit that is loaded into kernel memory using an open source tool called MyDriver.sys, Kernel Driver Utility (KDU), which disables VMware’s guest-side VMCI driver. The exploit status is then monitored and the VMCI driver is re-enabled.
VM Escape exploit flow
The driver’s primary role is to identify the exact ESXi version running on the host, trigger the CVE-2025-22226 and CVE-2025-22224 exploits, and ultimately allow an attacker to write three payloads directly into the VMX’s memory.
Stage 1 Shellcode, prepares the environment for VMX sandbox escape Stage 2 Shellcode, establishes a foothold on the ESXi host VSOCKpuppet, 64-bit ELF backdoor that provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets) port 10000
“After writing the payload, the exploit overwrites the function pointer in VMX,” Huntress explained. “It first saves the original pointer value and overwrites it with the shellcode address. The exploit then sends a VMCI message to the host to trigger VMX.”
VSOCK communication protocol between client.exe and VSOCKpuppet
“When VMX processes the message, it follows the corrupted pointer and jumps to the attacker’s shellcode instead of the legitimate code. This final step corresponds to CVE-2025-22225, which VMware describes as an ‘arbitrary write vulnerability’ that allows ‘sandbox escape.'”
Because VSOCK provides a direct communication path between the guest VM and the hypervisor, attackers have been found to use “client.exe” (also known as the GetShell plugin) available from the guest Windows VM on the compromised host to send commands back to the compromised ESXi and interact with the backdoor. The PDB path embedded in the binary indicates that it may have been developed in November 2023.
The client supports downloading files from ESXi to a VM, uploading files from a VM to ESXi, and the ability to run shell commands on the hypervisor. Interestingly, the GetShell plugin is dropped onto the Windows VM in the form of a ZIP archive (‘Binary.zip’). It also includes a README file with usage instructions and provides insight into its file transfer and command execution capabilities.
It is currently unclear who is behind this toolkit, but the use of Simplified Chinese and the sophistication of the attack chain, as well as the exploitation of a zero-day vulnerability several months before publication, likely points to Huntress as a resource-rich developer operating in the Chinese-speaking world.
“This intrusion demonstrates a sophisticated, multi-stage attack chain aimed at evading virtual machine isolation and compromising the underlying ESXi hypervisor,” the company added. “By chaining together information disclosure, memory corruption, and sandbox escape, the attackers achieved what every VM administrator fears: complete control of the hypervisor from within the guest VM.”
“The use of VSOCK in backdoor communications is particularly concerning. It completely bypasses traditional network monitoring, making detection significantly more difficult. Additionally, the toolkit prioritizes stealth over persistence.”
Source link
