Imagine a scenario where hackers exploit a virtual fortress, bypassing its defenses to gain unrestricted access. This isn’t science fiction—it’s a chilling reality uncovered by cybersecurity experts. But here’s where it gets controversial: China-linked threat actors are suspected of leveraging a compromised SonicWall VPN appliance to deploy a VMware ESXi exploit, potentially developed as early as February 2024. This sophisticated attack chain, halted by Huntress in December 2025, could have culminated in a devastating ransomware attack.
The exploit targeted three critical VMware vulnerabilities—CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226—disclosed as zero-days by Broadcom in March 2025. These flaws, with CVSS scores ranging from 7.1 to 9.3, allowed attackers with admin privileges to leak memory or execute code within the Virtual Machine Executable (VMX) process. And this is the part most people miss: the toolkit included simplified Chinese strings, suggesting a well-resourced developer operating in a Chinese-speaking region, potentially weaponizing these vulnerabilities over a year before public disclosure.
The attack’s complexity is staggering. It involved a multi-stage process, starting with disabling VMware’s guest-side VMCI drivers using devcon.exe and deploying an unsigned kernel driver (MyDriver.sys) via the Kernel Driver Utility (KDU). This driver identified the ESXi version and triggered exploits for CVE-2025-22226 and CVE-2025-22224, injecting three payloads into VMX memory:
- Stage 1 shellcode: Prepared the environment for VMX sandbox escape.
- Stage 2 shellcode: Established a foothold on the ESXi host.
- VSOCKpuppet: A 64-bit ELF backdoor enabling persistent remote access via VSOCK port 10000.
Here’s the kicker: The exploit overwrote a function pointer inside VMX, redirecting execution to the attacker’s shellcode instead of legitimate code—a classic sandbox escape tactic tied to CVE-2025-22225. To make matters worse, the threat actors employed a client.exe (GetShell Plugin) to communicate with the backdoor via VSOCK, bypassing traditional network monitoring and prioritizing stealth over persistence.
This attack raises alarming questions. Who is behind this toolkit? While the use of simplified Chinese and the sophistication of the attack point to a Chinese-speaking region, the true identity remains unclear. But here’s a thought-provoking question: Could this be the work of a state-sponsored group, or is it the handiwork of a rogue developer? The implications are vast, as this intrusion achieved every VM administrator’s worst nightmare: full control of the hypervisor from within a guest VM.
Controversial interpretation: Some experts argue that the early exploitation of zero-days suggests insider knowledge or collaboration with VMware. What do you think? Could this be a case of corporate espionage, or is it purely the work of a highly skilled adversary? Let us know in the comments.
For more exclusive insights like this, follow us on Google News, Twitter, and LinkedIn. Stay informed, stay secure.
