1. Home
  2. Software
  3. VIRTUALPIE

VIRTUALPIE

VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).[1]

ID: S1218
Type: MALWARE
Platforms: ESXi
Version: 1.0
Created: 04 June 2025
Last Modified: 04 June 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .006 Command and Scripting Interpreter: Python

VIRTUALPIE is a Python-based backdoor malware.[1][2]
.012 Command and Scripting Interpreter: Hypervisor CLI

VIRTUALPIE is capable of command line execution on compromised ESXi servers.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

VIRTUALPIE can use a custom RC4 encrypted protocol for C2 communications.[1][2]
Enterprise T1570 Lateral Tool Transfer

VIRTUALPIE has file transfer capabilities.[1]
Enterprise T1571 Non-Standard Port

VIRTUALPIE has created listeners on hard coded TCP port 546.[1]
Enterprise T1505 .006 Server Software Component: vSphere Installation Bundles

VIRTUALPIE has been installed on VMware ESXi servers through malicious vSphere Installation Bundles (VIBs).[1]

Groups That Use This Software

ID Name References
G1048 UNC3886

[1][3][2][4]

References

  1. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
  2. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  1. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
  2. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.