China-Linked Actor Built VMware ESXi Zero-Day Exploits Over a Year Before Disclosure

Estimated Reading Time: 6 minutes

Key Takeaways:

  • Long-term Exploitation: A China-linked actor utilized functional VMware ESXi zero-day exploits (ESXicape) for over a year before public patches were released.
  • Critical Vulnerabilities: CISA has mandated emergency patching for a CVSS 10.0 vulnerability in HPE OneView that allows unauthenticated remote code execution.
  • Data Exposure: A massive dataset containing 17.5 million Instagram user records is circulating on underground criminal marketplaces.
  • Evolving Tactics: Iranian APT MuddyWater has shifted to custom Rust-based implants (RustyWater) to evade traditional security detections.

Table of Contents:

China-Linked Actor Built VMware ESXi Zero-Day Exploits Over a Year Before Disclosure

Analysis of recent forensic data indicates that a China-linked threat actor developed functional exploits for multiple VMware ESXi vulnerabilities as early as late 2023, representing a significant lead time before public disclosure. Forensic evidence suggests the toolkit was operational by February 2024, more than a year before VMware issued patches in March 2025.

This technical summary details the exploit chain, identified as ESXicape, alongside other critical security incidents including a massive Instagram data exposure, a maximum-severity HPE OneView flaw, and shifting tactics from Iranian APT groups.

The vulnerabilities tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 constitute a sophisticated exploit chain. When combined, these flaws allow an attacker with guest-level privileges to execute arbitrary code on the underlying ESXi hypervisor, effectively escaping the virtual machine (VM) sandbox.

Technical Breakdown of the ESXicape Chain

The exploit toolkit leverages three distinct weaknesses within the VMware architecture:

  • HGFS Information Disclosure (CVE-2025-22224): An out-of-bounds read vulnerability in the Host-Guest File System (HGFS) allows an attacker to leak memory addresses. This is a critical prerequisite for bypassing Address Space Layout Randomization (ASLR).
  • VMCI Memory Corruption (CVE-2025-22225): A time-of-check time-of-use (TOCTOU) flaw exists in the Virtual Machine Communication Interface (VMCI). By manipulating the timing of memory access, an attacker can corrupt memory within the VMX process.
  • Arbitrary Write and Sandbox Escape (CVE-2025-22226): The final stage of the chain utilizes an arbitrary write condition to escape the VMX sandbox and achieve code execution at the kernel level of the ESXi host.

VMware ESXi server targeted by a state-sponsored cyberattack

Analyst observations from December 2025 confirmed the use of these exploits during an intrusion involving suspected ransomware activity. The attack path began with a compromised SonicWall VPN appliance. Once internal access was gained, the actor utilized a Domain Admin account to move laterally across the Windows environment. Upon reaching the virtualization infrastructure, the actor deployed the ESXicape toolkit to install a backdoor directly on the hypervisor.

Compile timestamps within the malware suggest development activity as early as November 2023 for specific communication components, with the primary exploit binary finalized by February 2024. This suggests a prolonged period of undetected exploitation. Organizations utilizing a cyber threat intelligence platform can correlate these historical TTPs to identify legacy indicators of compromise (IOCs) within their infrastructure.

Instagram Data Breach: 17.5 Million Accounts Exposed

Recent underground activity has identified a database containing sensitive information for approximately 17.5 million Instagram users. This data is currently being traded on criminal marketplaces, emphasizing the importance of underground forum intelligence for breach detection.

Scope of the Data Leak
The exposed dataset includes:

  • Usernames and account handles.
  • Physical addresses.
  • Phone numbers.
  • Email addresses.

While Meta has not officially confirmed the source of the leak, security researchers have verified the circulation of the data. This incident demonstrates the necessity of brand leak alerting to monitor for unauthorized distribution of corporate or customer data. For users and businesses, this breach increases the risk of targeted spear-phishing and credential stuffing attacks. Proactive dark web monitoring service capabilities are essential for identifying if internal credentials or executive data appear in such datasets.

CISA Issues Emergency Patching Mandate for HPE OneView

A critical vulnerability in Hewlett Packard Enterprise (HPE) OneView, tracked as CVE-2025-37164, has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. The flaw has been assigned a CVSS score of 10.0, indicating the highest possible severity.

The vulnerability resides in the ID Pools feature of HPE OneView. Specifically, a REST API endpoint was found to be accessible without authentication.

This lack of access control allows a remote, unauthenticated attacker to execute arbitrary code (RCE) on the management platform. Because HPE OneView serves as a centralized management layer for server and networking infrastructure, a compromise here grants an attacker control over the entire environment. Rapid7 researchers noted that all versions prior to 11.00 are vulnerable, with specific risks identified for HPE OneView for HPE Synergy and virtual machine deployments (version 6.x).

There are no known workarounds for this flaw. Administrators must update to version 11.00 or later. This case highlights the importance of supply-chain risk monitoring, as management software often holds the “keys to the kingdom” for data center operations.

MuddyWater Evolves Arsenal with RustyWater Implant

The Iranian state-sponsored group MuddyWater (also known as Mango Sandstorm or Static Kitten) has transitioned toward custom-built Rust implants. The new malware, codenamed RustyWater, has been deployed in spear-phishing campaigns targeting maritime, telecom, and diplomatic sectors across the Middle East.

Tooling Shift and Capabilities
Historically, MuddyWater relied heavily on legitimate remote access tools (RATs) to maintain persistence. The shift to RustyWater represents an effort to reduce noise and evade detection. The implant features:

  • Asynchronous Command and Control (C2) communication.
  • Anti-analysis and anti-debugging routines.
  • Registry-based persistence mechanisms.
  • Modular architecture for post-compromise capability expansion.

The attack chain typically involves a malicious Microsoft Word document with embedded VBA macros. When a user enables content, the macro deploys the Rust binary. This evolution in tradecraft necessitates real-time ransomware intelligence and advanced breach detection tools that can identify modular malware behavior rather than relying solely on static signatures.

Europol Dismantles Black Axe Organized Crime Syndicate

In a coordinated international effort, Europol and Spanish authorities arrested 34 members of the Black Axe criminal organization. The group, which originated in Nigeria, has expanded into a global network responsible for large-scale financial fraud and violent crime.

Impact and Operations
Black Axe is estimated to have caused over €5.93 million in damages through various cyber-enabled schemes. Their operations include:

  • Business Email Compromise (BEC).
  • Romance and inheritance scams.
  • Credit card and tax fraud.
  • Money laundering via an extensive network of mules.

Law enforcement froze over €119,000 in bank accounts and seized significant cash reserves during the raids. This syndicate’s hierarchical structure and diverse criminal portfolio demonstrate the intersection of traditional organized crime and cyber-enabled fraud. Monitoring for these groups often requires telegram threat monitoring to track the communication channels used by facilitators and money mules.

Technical Takeaways for Infrastructure Defense

The following actions are recommended for engineering and security teams based on the analyzed threats.

For Technical Teams (Engineers and Analysts)

  • Hypervisor Integrity: Conduct a forensic audit of VMware ESXi hosts for unauthorized VMX process modifications or unexpected kernel modules. Compare system state against known-good baselines to detect potential backdoors installed via the ESXicape chain.
  • API Security: Audit all management interfaces, particularly REST API endpoints for infrastructure tools like HPE OneView. Ensure that no endpoints are reachable without strong authentication and that network segmentation restricts access to management subnets.
  • Binary Analysis: Update endpoint detection and response (EDR) rules to account for Rust-based implants. Focus on behavioral indicators such as unusual registry modifications for persistence and asynchronous network callbacks to non-standard ports.
  • Vulnerability Management: Prioritize patching of CVE-2025-37164 in HPE OneView and the VMware ESXicape vulnerabilities. Use a live ransomware API to correlate known exploited vulnerabilities with active threat group activity.

For Business Leaders and Non-Technical Stakeholders

  • Infrastructure Investment: Recognize that virtualization and management layers are primary targets for state-sponsored actors. Ensure that IT budgets prioritize the lifecycle management of these core components.
  • Data Exposure Awareness: Given the Instagram breach, implement corporate-wide training on the risks of personal data reuse. Stolen phone numbers and email addresses are frequently used to bypass multi-factor authentication (MFA) via SIM swapping or social engineering.
  • Supply Chain Oversight: Review the security posture of third-party management tools. A compromise in a centralized management platform like OneView can result in total operational shutdown.
  • Intelligence Integration: Move beyond reactive security by integrating underground forum intelligence and dark web monitoring service feeds into the corporate risk management framework.

PurpleOps Expertise in Advanced Threat Mitigation

The complexity of the VMware ESXi zero-day exploitation and the HPE OneView RCE flaw underscores the need for deep technical expertise in infrastructure security. PurpleOps provides specialized services designed to identify and neutralize these advanced threats before they result in data exfiltration or system-wide disruption.

Our cyber threat intelligence capabilities allow organizations to move from reactive patching to proactive defense. By utilizing our dark web monitoring and underground forum intelligence, companies can identify leaked credentials and brand exposure in real-time.

For organizations concerned about the integrity of their virtualization environment or management planes, PurpleOps offers comprehensive assessments and operational support:

  • Penetration Testing: We simulate advanced adversary tactics to identify vulnerabilities in your hypervisor and API configurations.
  • Red Team Operations: Our team conducts full-scope simulations to test your detection and response capabilities against state-sponsored TTPs.
  • Supply Chain Security: We evaluate the security of your critical infrastructure software and third-party integrations.
  • Ransomware Protection: We provide strategies and technical controls to defend against the modern ransomware lifecycle, including VM escape exploits.

The discovery that China-linked actors held working zero-day exploits for over a year highlights the necessity of a layered, intelligence-driven security strategy. PurpleOps is committed to providing the technical hub and professional services required to navigate this landscape.

For a detailed evaluation of your infrastructure’s resilience against the threats discussed in this report, or to integrate our specialized intelligence feeds into your security operations, contact the PurpleOps team today. Explore our full platform of services or services. For specific inquiries regarding threat intelligence and monitoring, visit our dedicated intelligence portal.

Frequently Asked Questions

What is the ESXicape exploit chain?
ESXicape is a chain of three VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) that allows an attacker to escape a Virtual Machine sandbox and execute code at the host’s kernel level.

How long were the VMware zero-days known to threat actors before being patched?
Evidence suggests China-linked actors had functional exploits as early as February 2024, more than a year before VMware issued official patches in March 2025.

What makes the HPE OneView vulnerability so dangerous?
Tracked as CVE-2025-37164, it has a CVSS score of 10.0 because it allows unauthenticated remote code execution via a REST API endpoint, potentially giving attackers full control over data center infrastructure.

What is RustyWater?
RustyWater is a custom-built Rust-based malware implant used by the Iranian state-sponsored group MuddyWater. It is designed for stealth, anti-analysis, and asynchronous C2 communication.

What should I do if my data was part of the Instagram leak?
Users should change their passwords, enable non-SMS based multi-factor authentication (like authentication apps), and remain vigilant against spear-phishing attempts using their leaked personal details.