Key Findings:

• Chinese-speaking threat actors leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit toolkit.

• The toolkit targeted up to 155 ESXi builds and enabled virtual machine (VM) escape via disabled VMCI drivers and unsigned kernel drivers, potentially paving the way for a ransomware attack.

• The exploit chain included a sophisticated VM escape and appears to have been developed more than a year before the related VMware flaws were publicly disclosed in March 2025.

Background

In December 2025, Huntress researchers detected an intrusion that led to the deployment of the VMware ESXi exploit toolkit. Initial access was attributed to a compromised SonicWall VPN appliance.

Evidence such as simplified Chinese strings and build paths suggests the toolkit was likely developed as a zero-day more than a year before VMware publicly disclosed the flaws, pointing to a well-resourced Chinese-speaking actor.

Exploited Vulnerabilities

The threat actors leveraged three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025:

• CVE-2025-22224 (CVSS score: 9.3)

• CVE-2025-22225 (CVSS score: 8.2)

• CVE-2025-22226 (CVSS score: 7.1)

Successful exploitation of these issues could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process.

Exploit Toolkit Analysis

The toolkit involves multiple components, chief among them being "exploit.exe" (aka MAESTRO), which acts as the orchestrator for the entire VM escape by making use of embedded binaries such as "devcon.exe" and "MyDriver.sys".

The driver's main responsibility is to identify the exact ESXi version running on the host and trigger exploits for CVE-2025-22226 and CVE-2025-22224, ultimately allowing the attacker to write three payloads directly into VMX's memory.

After writing the payloads, the exploit overwrites a function pointer inside VMX, corrupting it to the address of the attacker's shellcode. When VMX handles the message, it jumps to the attacker's shellcode instead of legitimate code, corresponding to CVE-2025-22225.

Backdoor and Post-Exploitation Activities

The toolkit deploys a stealthy VSOCK-based backdoor (VSOCKpuppet) that enables persistent remote control of the hypervisor from guest VMs while evading traditional network monitoring.

The attackers were also observed laterally moving using Domain Admin credentials, performing reconnaissance, modifying firewall rules to block external access while preserving internal movement, and staging data for exfiltration.

Conclusion

The development timeline revealed in the PDB paths indicates this exploit potentially existed as a zero-day for over a year before VMware's public disclosure, highlighting the persistent threat posed by well-resourced actors with access to unpatched vulnerabilities.

The sophisticated, multi-stage attack chain demonstrates the threat actors' capability to escape virtual machine isolation and compromise the underlying ESXi hypervisor, a fear of every VM administrator.

Sources

• https://thehackernews.com/2026/01/chinese-linked-hackers-exploit-vmware.html

• https://securityaffairs.com/186709/hacking/chinese-speaking-hackers-exploited-esxi-zero-days-long-before-disclosure.html

• https://www.bleepingcomputer.com/news/security/vmware-esxi-zero-days-likely-exploited-a-year-before-disclosure/

• https://www.instagram.com/p/DTQ8xuxDttu/

• https://www.instagram.com/p/DTQ9dNXjYcC/

• https://www.instagram.com/p/DTRH0fjktLB/