A never-before-seen attack method allows cybercriminals to infiltrate VMware ESXi hypervisors. A report from security firm Mandiant reveals that the technique was used by an unknown threat actor to attack organizations in the wild.

VMware ESXi is one of the world’s most widely used hypervisors. In April 2022, security firm Mandiant discovered a never-before-seen technique used by unknown cybercriminals to infiltrate VMware ESXi hypervisors. The report was recently published.

vSphere Installation Bundles

Mandiant found traces of the method in attacks on “less than 10 organizations”. The scale of the problem seems limited, but appearances can be deceiving. VMware ESXi is hugely popular, and the method allows attackers to hijack entire hypervisors. The potential damage is enormous.

An attacker needs administrator access to abuse the technique. Administrator access allows an attacker to deploy malicious vSphere Installation Bundles (VIBs). The malicious VIBs ensure the attacker retains administrator access, even after a reboot. Ultimately, attackers can send commands to hypervisors, execute commands on virtual machines (VMs), manipulate hypervisor logs and exchange files between VMs.

VMware is not the cause

Mandiant has no evidence that the perpetrator(s) of the discovered incident exploited a vulnerability in VMware ESXi to gain administrator access. VMware is not the cause of the problem. VIBs are an important and legitimate part of ESXi. “The packages are generally utilized by administrators to deploy updates and maintain systems”, Mandiant explained. “However, this attacker was seen leveraging the packages as a persistence mechanism to maintain access across ESXi hypervisors.”

The identity of the cybercriminals is unknown. Although the report suggests the technique has been used for multiple attacks in the past, Mandiant can’t confirm whether the perpetrator(s) belong to the same group or coalition. The organization named the threat UNC3886. “Given the highly targeted and evasive nature of this intrusion, we suspect UNC3886’s motivation to be cyber espionage-related”, it said.


Mandiant’s report reveals the technical details of the attack method. Although the organization said that an attacker needs a high level of expertise in ESXi and VMware’s platforms to use the technique, a wave of similar attacks is expected in the short term. The report is public, allowing cybercriminals to mimic the method. Hence, Mandiant wrote a comprehensive blog on securing ESXi environments.

Tip: ‘Security industry is good at making money, not at securing customers’