The notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America.
“The group’s core tactics have remained consistent and do not rely on software exploits. Instead, they use a proven playbook centered on phone calls to an IT help desk,” Google’s Mandiant team said in an extensive analysis.
“The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs. Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organization’s most critical systems and data.”
Also called 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the threat actors have a history of conducting advanced social engineering attacks to obtain initial access to victim environments and then adopting a “living-off-the-land” (LotL) approach by manipulating trusted administrative systems and leveraging their control of Active Directory to pivot to the VMware vSphere environment.
Google said the method, which provides a pathway for data exfiltration and ransomware deployment directly from the hypervisor, is “highly effective,” as it bypasses security tools and leaves few traces of compromise.
The attack chain unfolds over five distinct phases –
- Initial compromise, reconnaissance, and privilege escalation, allowing the threat actors to harvest information related to IT documentation, support guides, organization charts, and vSphere administrators, as well as enumerate credentials from password managers like HashiCorp Vault or other Privileged Access Management (PAM) solutions. The attackers have been found to make additional calls to the company’s IT help desk to impersonate a high-value administrator and request a password reset to gain control of the account.
- Pivoting to the virtual environment using the mapped Active Directory to vSphere credentials and gaining access to VMware vCenter Server Appliance (vCSA), after which teleport is executed to create a persistent and encrypted reverse shell that bypasses firewall rules
- Enabling SSH connections on ESXi hosts and resetting root passwords, and executing what’s called a “disk-swap” attack to extract the NTDS.dit Active Directory database. The attack works by powering off a Domain Controller (DC) virtual machine (VM) and detaching its virtual disk, only to attach it to another, unmonitored VM under their control. After copying the NTDS.dit file, the entire process is reversed and the DC is powered on.
- Weaponizing the access to delete backup jobs, snapshots, and repositories to inhibit recovery
- Using the SSH access to the ESXi hosts to push their custom ransomware binary via SCP/SFTP
“UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defense,” Google said. “This threat differs from traditional Windows ransomware in two ways: speed and stealth.”
The tech giant also called out the threat actors’ “extreme velocity,” stating the whole infection sequence from initial access to data exfiltration and final ransomware deployment can transpire within a short span of a few hours.
According to Palo Alto Networks Unit 42, Scattered Spider actors have not only become adept at social engineering, but also have partnered with the DragonForce (aka Slippery Scorpius) ransomware program, in one instance exfiltrating over 100 GB of data during a two-day period.
To counter such threats, organizations are advised to follow three layers of protections –
- Enable vSphere lockdown mode, enforce execInstalledOnly, use vSphere VM encryption, decommission old VMs, harden the help desk
- Implement phishing-resistant multi-factor authentication (MFA), isolate critical identity infrastructure, avoid authentication loops
- Centralize and monitor key logs, isolate backups from production Active Directory, and make sure they are inaccessible to a compromised administrator
Google is also urging organizations to re-architect the system with security in mind when transitioning from VMware vSphere 7, as it approaches end-of-life (EoL) in October 2025.
“Ransomware aimed at vSphere infrastructure, including both ESXi hosts and vCenter Server, poses a uniquely severe risk due to its capacity for immediate and widespread infrastructure paralysis,” Google said.
“Failure to proactively address these interconnected risks by implementing these recommended mitigations will leave organizations exposed to targeted attacks that can swiftly cripple their entire virtualized infrastructure, leading to operational disruption and financial loss.”
