1. Home
  2. Software
  3. VIRTUALPITA

VIRTUALPITA

VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. VIRTUALPITA has been in use since at least 2022 including by UNC3886 who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.[1]

ID: S1217
Type: MALWARE
Platforms: ESXi, Linux
Version: 1.0
Created: 02 June 2025
Last Modified: 03 June 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1037 Boot or Logon Initialization Scripts

VIRTUALPITA can persist as an init.d startup service on Linux vCenter systems.[1]
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

VIRTUALPITA has the ability to spawn a bash shell for script execution.[1]
.006 Command and Scripting Interpreter: Python

VIRTUALPITA can call a Python script to run commands on a targeted guest virtual machine.[1]
Enterprise T1675 ESXi Administration Command

VIRTUALPITA can execute commands on guest virtual machines from compromised ESXi hypervisors.[1]
Enterprise T1562 .003 Impair Defenses: Impair Command History Logging

VIRTUALPITA can impair logging by setting the HISTFILE environmental variable to 0 and stopping the vmsyslogd service.[1]
Enterprise T1105 Ingress Tool Transfer

VIRTUALPITA has the ability to upload and download files.[1]
Enterprise T1570 Lateral Tool Transfer

VIRTUALPITA is capable of file transfer and arbitrary command execution.[1]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

VIRTUALPITA has utilized VMware service names and ports to masquerade as legitimate services.[1]
.005 Masquerading: Match Legitimate Resource Name or Location

VIRTUALPITA samples have been found in /usr/libexec/setconf/ksmd and /usr/bin/ksmd, named to spoof the legitimate Kernel Same-Page Merging Daemon binary. [1]
Enterprise T1571 Non-Standard Port

VIRTUALPITA has created listeners on hard coded TCP ports such as 2233, 7475, and 18098.[1]
Enterprise T1489 Service Stop

VIRTUALPITA can start and stop the vmsyslogd service.[1]
Enterprise T1673 Virtual Machine Discovery

VIRTUALPITA can target specific guest virtual machines for script execution.[1]

Groups That Use This Software

ID Name References
G1048 UNC3886

[1][2][3]

References

  1. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
  2. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
  1. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.