Scattered Spider Targets VMware ESXi in Advanced Ransomware Attacks on U.S. Critical Infrastructure

The threat group known as Scattered Spider has launched a new wave of cyberattacks focusing on VMware ESXi hypervisors, hitting critical infrastructure sectors such as retail, airlines, and transportation across North America.

According to Google’s Mandiant, the group’s approach has remained consistent and doesn’t rely on software vulnerabilities. Instead, they utilize highly effective social engineering tactics, often calling IT help desks to manipulate personnel and gain initial access.

“These actors are aggressive and resourceful. Their attacks are not opportunistic but calculated, targeting the most vital systems and data within an organization,” Mandiant noted.

Also known by aliases such as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the group is well-known for sophisticated impersonation attacks. Once inside, they use “living-off-the-land” (LotL) techniques to operate covertly, often abusing Active Directory to move laterally into VMware vSphere environments.


Bypassing Security with Hypervisor-Level Attacks

This group has developed an efficient method of deploying ransomware directly from the hypervisor, which allows them to bypass endpoint detection tools and leaves minimal forensic evidence.

Their multi-phase attack chain includes:

  1. Initial Access and Reconnaissance
    Attackers collect IT documentation, support materials, org charts, and admin details. They also extract credentials from tools like HashiCorp Vault and PAM systems. Additional calls to help desks may be made, impersonating high-level admins to reset passwords.
  2. Pivoting to VMware vCenter
    Using mapped AD credentials, the attackers infiltrate vCenter Server Appliance (vCSA). They deploy Teleport to establish a persistent, encrypted reverse shell, evading firewall restrictions.
  3. Disk-Swap and Data Theft
    They enable SSH access, reset root passwords, and use a “disk-swap” technique—disconnecting a Domain Controller VM’s disk, attaching it to an attacker-controlled VM, extracting the NTDS.dit Active Directory database, and then restoring the original setup.
  4. Disabling Recovery
    Backups, snapshots, and repositories are deliberately deleted to prevent recovery.
  5. Ransomware Deployment
    Custom ransomware payloads are delivered via SCP/SFTP through the previously opened SSH access.

Speed and Stealth: Hallmarks of Scattered Spider

Google warns that this campaign operates with exceptional speed and stealth. The full chain—from initial access to ransomware deployment—can unfold in just a few hours.

Unlike typical Windows-based ransomware, this threat requires new defense models, focusing on infrastructure-level protection over traditional EDR tools.

According to Palo Alto Networks’ Unit 42, Scattered Spider has teamed up with the DragonForce ransomware group (aka Slippery Scorpius), and has successfully stolen over 100 GB of data in as little as 48 hours during one of their campaigns.


Defensive Recommendations: How to Stay Protected

Google and Palo Alto Networks advise organizations to proactively harden their infrastructure through a three-layered defense strategy:

1. Hardening Virtual Infrastructure

  • Enable vSphere lockdown mode
  • Use execInstalledOnly setting
  • Encrypt VMs
  • Decommission outdated virtual machines
  • Strengthen help desk identity verification

2. Identity and Authentication Security

  • Enforce phishing-resistant MFA
  • Segregate identity infrastructure
  • Eliminate authentication loops

3. Log and Backup Management

  • Centralize log monitoring
  • Keep backups isolated from Active Directory
  • Ensure compromised admin accounts cannot access them

Prepare for vSphere 7 End-of-Life

As VMware vSphere 7 approaches its end-of-life in October 2025, Google strongly recommends re-architecting infrastructure with security in mind. Attacks that target vSphere and ESXi can cause widespread paralysis, disabling virtual environments and causing major financial and operational losses.

“Organizations that ignore these interconnected risks are leaving themselves vulnerable to rapid, devastating ransomware attacks,” Google stated.

Source: https://thehackernews.com/2025/07/scattered-spider-hijacks-vmware-esxi-to.html