Scattered Spider Hacks VMware ESXi via Help Desk Social Engineering
Scattered Spider, a notorious financially motivated threat group, has escalated its attacks by compromising VMware ESXi hypervisors across major U.S. companies using no software exploits, but rather highly targeted social engineering tactics, Google’s Threat Intelligence Group (GTIG) has warned.
The group’s targets span across retail, airline, transportation, and insurance sectors, and their attacks can unfold within just hours.
From Help Desk to Hypervisor: A 5-Stage Attack
GTIG researchers describe a five-phase attack chain executed with surgical precision:
- Initial Access via Social Engineering
Attackers impersonate company employees and call the IT help desk, requesting password resets for Active Directory accounts. Once inside the network, they begin reconnaissance. - Reconnaissance and Escalation
The attackers scan internal documentation for administrator names and privileged access groups—especially those managing VMware vSphere and ESXi. They also look for privileged access management (PAM) solutions to expand control. - Privileged Access Takeover
Armed with a high-value administrator’s name, they impersonate that user in follow-up help desk calls to gain privileged access. This allows full control of VMware vCenter Server Appliance (vCSA) and access to ESXi hypervisors. - Lateral Movement and Data Extraction
After enabling SSH and resetting ESXi root credentials, they perform “disk-swap” attacks to extract sensitive data like the NTDS.dit Active Directory database:- Domain Controller VMs are shut down
- Virtual disks are attached to attacker-controlled VMs
- Data is copied, and disks are re-attached to the original VM
- Backup Destruction and Ransomware Deployment
With full access, the attackers wipe backups, snapshots, and repositories. Finally, they deploy ransomware binaries over SSH, encrypting all VM files stored on the datastore.
Scattered Spider attack chain
Source: Google
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
A Complete Takeover Without Exploits
Google emphasized that Scattered Spider does not use software vulnerabilities in these attacks. Instead, they rely entirely on social engineering and abuse of native tools to achieve full infrastructure control, including virtual machines, backup systems, and domain controllers.
“Even without exploiting software flaws, Scattered Spider gains an unprecedented level of control over virtualized environments,” GTIG noted.
This approach bypasses in-guest security controls, as the threat actor operates below the guest operating systems, directly from the hypervisor layer.
Why VMware ESXi is an Attractive Target
GTIG believes that one reason Scattered Spider and other ransomware actors are increasingly targeting VMware infrastructure is due to organizational blind spots:
- vSphere and ESXi are often misunderstood or mismanaged
- Security controls tend to focus on endpoints or guests, not the hypervisor
- Backup and PAM systems are frequently hosted on the same infrastructure they’re meant to secure
Trending: Offensive Security Tool: APKScope
Google’s Recommendations: How to Defend Against These Attacks
To mitigate the risk, GTIG outlines a set of hardening and detection strategies, grouped into three pillars:
1. Harden vSphere and Virtual Infrastructure
- Enforce
execInstalledOnly - Enable VM encryption and disable SSH
- Avoid AD joins directly on ESXi
- Remove orphaned VMs
- Apply strict MFA and access controls
- Monitor for configuration drift
2. Isolate and Secure Tier 0 Assets
- Use phishing-resistant MFA across VPN, AD, and vCenter
- Isolate backups, PAM systems, and Domain Controllers
- Host Tier 0 assets separately from the infrastructure they protect
- Consider external identity providers to reduce AD exposure
3. Log and Detect Early
- Centralize logs in a SIEM
- Alert on key indicators: vCenter logins, SSH enablement, admin group changes
- Use immutable, air-gapped backups
- Regularly test recovery processes for hypervisor-layer attacks
The Human Element Behind the Threat
Scattered Spider—also tracked as UNC3944, Octo Tempest, and 0ktapus—is known for its exceptionally convincing social engineering. Members are capable of mimicking employee speech patterns and accents, adding further legitimacy to their impersonations.
Despite recent arrests by the UK’s National Crime Agency, malicious activity from associated clusters has not subsided.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Freight Brokers Hit by RMM-Based Cyber Attacks Aimed at Physical Cargo Theft
AdaptixC2: Open-Source C2 Tool Gains Traction with Ransomware-Linked Actors
Nearly 76,000 WatchGuard Firebox Appliances Exposed — Critical IKEv2 RCE (CVE-2025-9242)
LinkPro Rootkit: New eBPF-Backed GNU/Linux Backdoor Found in Compromised AWS Environments
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
