Chinese language-speaking risk actors are suspected to have leveraged a compromised SonicWall VPN equipment as an preliminary entry vector to deploy a VMware ESXi exploit which will have been developed way back to February 2024.
Cybersecurity agency Huntress, which noticed the exercise in December 2025 and stopped it earlier than it may progress to the ultimate stage, stated it might have resulted in a ransomware assault.
Most notably, the assault is believed to have exploited three VMware vulnerabilities that have been disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS rating: 9.3), CVE-2025-22225 (CVSS rating: 8.2), and CVE-2025-22226 (CVSS rating: 7.1). Profitable exploitation of the difficulty may allow a malicious actor with admin privileges to leak reminiscence from the Digital Machine Executable (VMX) course of or execute code because the VMX course of.
That very same month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added the flaw to the Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
“The toolkit analyzed […] additionally contains simplified Chinese language strings in its growth paths, together with a folder named ‘全版本逃逸–交付’ (translated: ‘All model escape – supply’), and proof suggesting it was doubtlessly constructed as a zero-day exploit over a 12 months earlier than VMware’s public disclosure, pointing to a well-resourced developer doubtless working in a Chinese language-speaking area,” researchers Anna Pham and Matt Anderson stated.
The evaluation that the toolkit weaponizes the three VMware shortcomings relies on the exploit’s conduct, its use of Host-Visitor File System (HGFS) for info leaking, Digital Machine Communication Interface (VMCI) for reminiscence corruption, and shellcode that escapes to the kernel, the corporate added.
The toolkit includes a number of elements, chief amongst them being “exploit.exe” (aka MAESTRO), which acts because the orchestrator for the complete digital machine (VM) escape by making use of the next embedded binaries –
- devcon.exe, to disable VMware’s guest-side VMCI drivers
- MyDriver.sys, an unsigned kernel driver containing the exploit that is loaded into kernel reminiscence utilizing an open-source software referred to as Kernel Driver Utility (KDU), following which the exploit standing is monitored and the VMCI drivers are re-enabled
 |
| VM Escape exploitation move |
The driving force’s essential accountability is to determine the precise ESXi model operating on the host and set off an exploit for CVE-2025-22226 and CVE-2025-22224, in the end permitting the attacker to put in writing three payloads instantly into VMX’s reminiscence –
- Stage 1 shellcode, to arrange the setting for the VMX sandbox escape
- Stage 2 shellcode, to determine a foothold on the ESXi host
- VSOCKpuppet, a 64-bit ELF backdoor that gives persistent distant entry to the ESXi host and communicates over VSOCK (Digital Sockets) port 10000
“After writing the payloads, the exploit overwrites a perform pointer inside VMX,” Huntress defined. “It first saves the unique pointer worth, then overwrites it with the handle of the shellcode. The exploit then sends a VMCI message to the host to set off VMX.”
 |
| VSOCK communication protocol between shopper.exe and VSOCKpuppet |
“When VMX handles the message, it follows the corrupted pointer and jumps to the attacker’s shellcode as an alternative of reliable code. This remaining stage corresponds to CVE-2025-22225, which VMware describes as an ‘arbitrary write vulnerability’ that permits ‘escaping the sandbox.'”
As a result of VSOCK provides a direct communication pathway between visitor VMs and the hypervisor, the risk actors have been discovered to make use of a “shopper.exe” (aka GetShell Plugin) that can be utilized from any visitor Home windows VM on the compromised host and ship instructions again as much as the compromised ESXi and work together with the backdoor. The PDB path embedded within the binary reveals it might have been developed in November 2023.
The shopper helps the flexibility to obtain information from ESXi to the VM, add information from the VM to ESXi, and execute shell instructions on the hypervisor. Apparently, the GetShell Plugin is dropped to the Home windows VM within the type of a ZIP archive (“Binary.zip”), which additionally features a README file with utilization directions, giving an perception into its file switch and command execution options.
It is presently not clear who’s behind the toolkit, however the usage of simplified Chinese language, coupled with the sophistication of the assault chain and the abuse of zero-day vulnerabilities months earlier than public disclosure, doubtless factors to a well-resourced developer working in a Chinese language-speaking area, theorized Huntress.
“This intrusion demonstrates a complicated, multi-stage assault chain designed to flee digital machine isolation and compromise the underlying ESXi hypervisor,” the corporate added. “By chaining an info leak, reminiscence corruption, and sandbox escape, the risk actor achieved what each VM administrator fears: full management of the hypervisor from inside a visitor VM.”
“The usage of VSOCK for backdoor communication is especially regarding, it bypasses conventional community monitoring completely, making detection considerably tougher. The toolkit additionally prioritizes stealth over persistence.”
