Full Report
Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could progress to the final stage, said it may have resulted in a ransomware
Analysis Summary
# Incident Report: SonicWall VPN & VMware ESXi VM Escape Chain
## Executive Summary
Chinese-speaking threat actors utilized a compromised SonicWall VPN appliance for initial compromise, subsequently deploying a sophisticated exploit chain targeting VMware ESXi. The attack leveraged three undisclosed VMware vulnerabilities (zero-days as of their exploitation) to achieve a VM escape, potentially leading to ransomware deployment. The incident was detected and stopped by Huntress Research in December 2025 before the final stages, including the deployment of a persistent backdoor on the ESXi host.
## Incident Details
- Discovery Date: December 2025
- Incident Date: Activity observed beginning in December 2025; exploit toolkit development potentially started February 2024.
- Affected Organization: Not disclosed (observed by Huntress)
- Sector: Unspecified (Involved virtualization infrastructure)
- Geography: Unspecified
## Timeline of Events
### Initial Access
- Date/Time: Prior to December 2025 (Observed in December 2025)
- Vector: Compromised SonicWall VPN appliance.
- Details: Used as the initial access point to gain a foothold within the network environment.
### Lateral Movement
- Date/Time: Following Initial Access
- Vector: Exploitation of vulnerabilities within the target environment.
- Details: Attackers used an exploit toolkit leveraging specific binaries (`exploit.exe`/MAESTRO, `devcon.exe`, `MyDriver.sys`) to disable guest drivers, load kernel modules, and ultimately trigger a VM escape.
### Data Exfiltration/Impact
- Date/Time: Potential final stage (Prevented)
- Vector: Successful VM escape and establishment of persistence.
- Details: The potential impact included ransomware deployment. The actors established persistence on the ESXi host via the "VSOCKpuppet" ELF backdoor communicating over VSOCK port 10000.
### Detection & Response
- Date/Time: December 2025
- Vector: Proactive monitoring/detection by the cybersecurity firm Huntress.
- Details: Huntress observed the activity and successfully stopped the attack progression before the final compromise stage could be achieved.
## Attack Methodology
- Initial Access: Compromised SonicWall VPN Appliance.
- Persistence: Achieved via "VSOCKpuppet," a 64-bit ELF backdoor installed on the ESXi host communicating via VSOCK.
- Privilege Escalation: Exploitation chain used three VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) to move from Guest VM control to kernel-level access on the ESXi host.
- Defense Evasion: Used simplified Chinese strings in tool development paths, suggesting active concealment and origin obfuscation.
- Credential Access: Not explicitly detailed, but likely followed successful host compromise.
- Discovery: Toolkit behavior suggests identification of the ESXi version to accurately trigger the correct CVE exploit pathway.
- Lateral Movement: Achieved VM escape using kernel driver loading (`MyDriver.sys` via KDU) and subsequent memory corruption payloads within the VMX process.
- Collection: The toolkit used HGFS for information leaking and VMCI for memory corruption.
- Exfiltration: Not explicitly detailed, but the final stage likely preceded any exfiltration attempt.
- Impact: Potential ransomware deployment (unconfirmed, as incident was stopped).
## Impact Assessment
- Financial: Unknown, but high potential given the nature of VM escape and ransomware threats.
- Data Breach: Unknown, but the ability to escape the VM means full network visibility and arbitrary access to hypervisor/other VMs was imminent.
- Operational: Stopped before service disruption, but the active kernel-level compromise posed an extreme threat to virtualization infrastructure stability.
- Reputational: N/A (Incident contained by vendor/defender).
## Indicators of Compromise
- Network Indicators: VSOCK communication on Port 10000 between Guest VM and ESXi Host.
- File Indicators: `exploit.exe` (MAESTRO), `devcon.exe`, `MyDriver.sys` (unsigned kernel driver), "Binary.zip" (containing GetShell Plugin), "VSOCKpuppet" (ELF backdoor).
- Behavioral Indicators: Use of KDU (Kernel Driver Utility) to load unsigned drivers; overwriting of the VMX process function pointer to trigger CVE-2025-22225 (arbitrary write).
## Response Actions
- Containment measures: The activity was observed and stopped before the final stage (execution of the corrupted pointer jump).
- Eradication steps: Not detailed, but would involve patching the SonicWall VPN, cleaning the ESXi kernel of the malicious driver/backdoor, and potentially reimaging affected VMs.
- Recovery actions: Not detailed, but recovery would necessitate full patching and system validation.
## Lessons Learned
- **Proactive Defense in Virtualization:** Exploitation of three related zero-days (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) indicates that attackers are creating sophisticated, pre-developed toolkits targeting critical hypervisor components long before public disclosure (toolkit potentially developed Feb 2024, public disclosure March 2025).
- **Supply Chain Risk:** A compromised perimeter device (SonicWall VPN) served as the initial foothold for a highly targeted infrastructure attack.
- **Complexity of VM Escape:** The attackers needed multiple stages and components (HGFS, VMCI, KDU, shellcode staging) to successfully execute the VM escape, suggesting a high level of skill.
## Recommendations
- **Immediate Patching:** Ensure immediate patching of all SonicWall VPN appliances and timely deployment of VMware updates for CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 as soon as available, given evidence of pre-disclosure exploitation.
- **VM Configuration Hardening:** Review and harden ESXi configurations. Limit direct access via VSOCK if not strictly required for normal operations, and strictly enforce digital signing requirements for all kernel drivers.
- **Deep Visibility:** Implement logging and monitoring solutions capable of detecting kernel driver loading events (such as the use of KDU) and abnormal VMX process behavior within virtualization hosts.