UNC3944 Cyberattack – Targeting VMware vSphere to Deploy Ransomware and Steal Data

Threat-hunting teams are warning that the financially motivated group UNC4, also tracked as 0ktapus, Octo Tempest, and Scattered Spider, has transitioned from credential-harvesting campaigns to a full-blown assault on virtualization stacks.

Google’s Threat Intelligence Group states that the actors are now “living off the land” within VMware vSphere, exfiltrating Active Directory databases and launching hypervisor-level ransomware that traditional endpoint agents typically do not detect.

Phone-Based Social Engineering Breaches Active Directory

The operation begins with a voice call to the victim’s IT help desk. Using breached personal data, UNC3944 convincingly impersonates ordinary staff, persuading agents to reset Active Directory (AD) passwords. Once inside, reconnaissance follows two tracks:

• Information stores: SharePoint, network shares, and wikis are mined for org charts and documents that reveal privileged groups such as “vSphere Admins.”
• Secrets stores: Password-management vaults are probed for service-account credentials.

Armed with this intelligence, the attackers phone the help desk again, this time posing as a genuine domain or vSphere administrator and reset a Tier 0 account.

Windows event IDs 4724 (password reset) and 4728/4732 (group membership changes) are the earliest machine signals defenders can correlate with ticket logs to catch the breach.

Pivot to vSphere: LoTL Tactics Bypass EDR

With AD-synced rights, the intruders log into the vCenter Server Appliance (VCSA), reboot it, and edit the GRUB bootloader to obtain a root shell without a password.

They immediately change the root password, enable SSH, and install Teleport, an open-source reverse-shell tool that maintains an encrypted back channel even through outbound egress filters.

From vCenter, they push out SSH keys to ESXi hosts, reset root passwords, and switch to the hypervisor layer. A key maneuver is the “disk-swap” attack:

1. Power off a Domain Controller VM.
2. Detach its virtual disk (.vmdk).
3. Attach that disk to an abandoned “orphan” VM.
4. Copy NTDS.dit and SYSTEM hive offline.
   Because the theft happens outside the guest OS, neither EDR nor in-guest logging detects it. High-fidelity indicators reside only in vim.event.VmReconfiguredEvent ESXi hostd audit logs showing unexpected disk attachments.

Hypervisor-Level Ransomware and Backup Sabotage

Before encryption, UNC3944 cripples recovery by deleting Veeam backup jobs or adding their account to the “Veeam Administrators” group via AD, and then erasing repositories.

Finally, a custom ELF ransomware binary is copied to /tmp on each ESXi host, granted execute permissions, and launched with nohup to survive session logout.

A shell script issues mass vim-cmd vmsvc/power.off commands, then encrypts every .vmdk and .vmx file.

If execInstalledOnly and lockdown mode are disabled, the attack can be completed in hours, leaving defenders with nothing but immutable, off-domain backups, if they exist, standing between them and a multimillion-dollar ransom.

Security teams are urged to enforce phishing-resistant MFA on vCenter, enable ESXi audit logging to a SIEM, deploy VM encryption for Tier 0 assets, and lock down help-desk password-reset procedures.

Without these measures, the virtualization layer itself becomes an attacker-controlled black box, undetectable and potentially devastating.