China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

China-linked cyberespionage group Fire Ant is exploiting VMware and F5 vulnerabilities to stealthily access secure, segmented systems, according to Sygnia.

Since early 2025, the group has targeted virtualization and networking infrastructure, primarily VMware ESXi and vCenter environments.

The threat actor used stealthy, layered attack chains to access restricted networks thought to be isolated.

“The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure,” reads the report published by Sygnia.

“Sygnia identified tooling and techniques that closely align with prior campaigns attributed to UNC3886. Technical overlap including specific binaries and exploitation of vCenter and ESXi vulnerabilities as well as targeted verticals.”

Fire Ant gained deep control over VMware ESXi and vCenter servers, using unauthenticated host-to-guest commands and credential theft to access guest environments. The group was able to bypass network segmentation by compromising appliances and tunneling through legitimate paths. Fire Ant adapts its strategy to the evolution of containment efforts via toolset changes, persistent backdoors, and network manipulation. The campaign was uncovered through a vmtoolsd.exe anomaly, pointing to host-based injection and leading to the discovery of a broader, stealthy cyberespionage operation.

To read the complete article see: Security Affairs

Learn more here: Sygnia