Chinese-speaking hackers are believed to have exploited a compromised SonicWall VPN appliance to launch an attack leveraging a VMware ESXi zero-day vulnerability, which may have been crafted as early as February 2024. Cybersecurity firm Huntress discovered this activity in December 2025 and successfully interrupted it before it escalated to a ransomware incident.
The attempted exploitation involved three vulnerabilities in VMware that were identified as zero-days by Broadcom in March 2025: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. These weaknesses, with CVSS scores ranging from 7.1 to 9.3, could potentially enable an attacker with admin rights to leak memory from the Virtual Machine Executable (VMX) process or execute arbitrary code within it.
In March 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included these flaws in its Known Exploited Vulnerabilities (KEV) catalog, citing apparent active exploit activity. Huntress analyzed a toolkit related to the attack, revealing that it contained simplified Chinese strings in its development paths, suggesting it was intricately designed and likely the work of a well-resourced Chinese-speaking developer.
The toolkit’s main component, "exploit.exe," orchestrated a process to escape from the virtual machine environment by employing embedded binaries. These included "devcon.exe," used to deactivate VMware’s guest-side VMCI drivers, and an unsigned kernel driver named "MyDriver.sys," which contained the exploit. This driver was injected into the kernel memory using an open-source tool called Kernel Driver Utility (KDU). Once the exploit initiated, it monitored the status and re-enabled the VMCI drivers for subsequent operations.
Through this mechanism, the exploit would write malicious payloads directly into the memory of the VMX process. The payloads included:
- Stage 1 Shellcode – Prepares the environment for a virtual machine escape.
- Stage 2 Shellcode – Establishes persistence on the ESXi host.
- VSOCKpuppet – A 64-bit ELF backdoor that maintains remote access to the ESXi host using the VSOCK communication protocol.
By manipulating function pointers within the VMX, the exploit could redirect operations to the attacker’s shellcode, corresponding to the aforementioned CVE-2025-22225 vulnerability that allows sandbox escape.
The attackers utilized a second component, client.exe (also known as the GetShell Plugin), deployable from any guest VM to communicate with and execute commands on the compromised ESXi host. The structure and embedded files of the plugin suggested it was developed in late 2023, further indicating a well-planned attack.
While the identity of those behind this toolkit remains unclear, the sophisticated nature of the attack, alongside the use of Chinese language components, hints at a strategically advanced group operating in a Chinese-speaking region. Huntress cautioned that this multi-stage attack reveals vulnerabilities in virtual machine isolation, resulting in full control of the hypervisor from within a guest VM. They highlighted the troubling aspect of VSOCK being exploited for backdoor communications, as this method circumvents traditional network defenses and complicates detection efforts. Overall, this incident underscores significant risks associated with virtual environments and the escalating threat landscape facing organizations globally.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.