Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

VMware ESXi exploit toolkit analysis with YARA/Sigma detections

Technical Analysis
First reported
Last updated
Happening score
H score 42
1 unique sources, 2 articles

Summary

Hide ▲

Huntress analyzed a December 2025 VMware ESXi exploit toolkit that likely enabled guest-to-hypervisor escape and post-exploitation on ESXi hosts. The chain was delivered through a compromised SonicWall VPN appliance and appears to have targeted the March 2025 zero-days CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. Researchers identified modular components including MAESTRO, MyDriver.sys, VSOCKpuppet, and the GetShell Plugin, with build clues pointing to development by February 2024 or earlier. The analysis matters because the toolkit used HGFS, VMCI, and VSOCK to reach the hypervisor, and YARA and Sigma detections were published for defenders.

Related Happenings

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
First: 18.02.2026 12:32 Last: 18.02.2026 12:32 Sources 1

About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...

Open Happening

UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign

Campaign
First: 17.02.2026 22:15 Last: 17.02.2026 22:15 Sources 1

About this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...

Latest development: 19.02.2026 17:30

CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.

Open Happening

Reynolds ransomware BYOVD defense-evasion activity

Malware Activity
First: 10.02.2026 16:36 Last: 10.02.2026 16:36 Sources 1

About this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...

Open Happening

SolarWinds Web Help Desk (WHD) multi-stage exploitation wave

Exploitation Wave
First: 09.02.2026 16:42 Last: 09.02.2026 16:42 Sources 1

About this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...

Latest development: 10.03.2026 08:17

CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.

Open Happening

VMware ESXi arbitrary-write sandbox escape (CVE-2025-22225)

Vulnerability
First: 04.02.2026 19:38 Last: 04.02.2026 19:38 Sources 1

How related: Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) in March 2025 alongside a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged them all as actively exploited zero-days.

About this happening: **CVE-2025-22225** is now confirmed in **ransomware campaigns**, making the **VMware ESXi** sandbox-escape flaw an active risk for exposed virtualization hosts. **Broadcom** patch...

Open Happening

Timeline

  1. 08.01.2026 23:27 3 articles · 4mo ago

    Analysis of VMware ESXi escape toolkit and detections

    Technical Analysis Update

    Huntress publishes technical analysis of a VMware ESXi exploit toolkit used in December 2025 attacks and assesses that the chain likely leveraged CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 through HGFS information leakage, VMCI memory corruption, and kernel escape behavior. The tooling is described as modular, with MAESTRO coordinating the escape, MyDriver.sys executing the unsigned kernel driver logic, VSOCKpuppet providing command execution and file transfer over VSOCK on the ESXi host, and the GetShell Plugin connecting from a guest VM; build artifacts pointing to 2024_02_19 and 2023_11_02 suggest development well before disclosure, and Huntress recommends latest ESXi security updates plus YARA and Sigma rules for early detection.

    Show sources
    Open in new tab