Cybercriminals have been using two new backdoors to compromise VMware ESXi hypervisors. Their aim is to control vCenter servers and VMs for Linux and Windows while staying hidden.

Two backdoors and a malware

The attackers are using malicious vSphere Installation Bundles (VIBs) to install two backdoors—VirtualPita and VirtualPie—on the bare-metal hypervisor.
  • The cybercriminals (UNC3886) behind these two new backdoors are suspected to be having links with China.
  • Experts have further spotted a unique malware named VirtualGate that includes a dropper and a payload. It has a memory-only dropper that de-obfuscates a second-stage DLL payload on the VM.

To pull off an attack here, attackers require having admin-level privileges to the hypervisor.


  • VirtualPita is a passive backdoor (64-bit) that creates a listener at a hardcoded port number on a VMware ESXi server.
  • The backdoor impersonates a genuine service by using VMware service ports and names. 
  • It executes arbitrary commands, uploads/downloads files, and starts/stops the logging mechanism.


  • VirtualPie is a Python-based backdoor that uses a daemonized IPv6 listener on a hardcoded port at the VMware ESXi server.
  • The backdoor has support for arbitrary command line execution, transfer files, and setting up a reverse shell.


Experts suggest having centralized logging of ESXi environments to spot malicious behavior, if any, and investigate further. Security analysts of an organization must ensure all ESXi host and vCenter Server logs are forwarded to the SIEM solution. It offers visibility into security events beyond administrative activity.
Cyware Publisher