Scattered Spider Targets VMware ESXi in Rapid and Stealthy Cyberattacks

The cybercriminal group known as Scattered Spider — also tracked as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944 — has launched a series of sophisticated attacks targeting VMware ESXi hypervisors across the retail, airline, and transportation sectors in North America.

According to Google’s Mandiant team, these attacks are notable for not relying on software exploits, but instead using aggressive social engineering tactics to bypass even mature security defenses.

How the Attack Works

The group’s playbook is centered on phone-based social engineering — attackers impersonate employees and contact help desks to gain access to privileged accounts. These campaigns are highly targeted and coordinated, not opportunistic.

Once initial access is gained, attackers:

1. Harvest internal documentation like org charts and IT guides.

2. Target privileged access systems such as HashiCorp Vault and Active Directory.

3. Pivot into virtual infrastructure using mapped credentials to vSphere.

4. Create a persistent reverse shell using a tool called Teleport to bypass firewalls.

5. Access ESXi hosts via SSH, change root passwords, and disable backups.

6. Deploy ransomware through SCP or SFTP using custom-built binaries.

One especially stealthy tactic involves a “disk-swap” attack, where attackers power down a Domain Controller VM, extract its virtual disk, mount it on another VM, copy the Active Directory (NTDS.dit) database, and then revert everything to avoid detection.

Why This Attack Is Dangerous

Scattered Spider’s method is both fast and stealthy — entire attacks can unfold in a matter of hours, often leaving minimal digital traces. Their ability to manipulate infrastructure directly makes traditional endpoint detection tools ineffective.

Defensive Recommendations

Google and Palo Alto Networks recommend a three-layer defense strategy:

• Infrastructure Hardening

  • Enable vSphere lockdown mode

  • Use VM encryption

  • Decommission unused VMs

  • Limit root and SSH access

• Identity Protection

  • Implement phishing-resistant MFA

  • Harden and isolate identity infrastructure

  • Avoid account recovery paths vulnerable to social engineering

• Monitoring and Recovery

  • Isolate backups from Active Directory

  • Ensure logs are centrally collected and monitored

  • Test backup recovery processes regularly

Preparing for vSphere 7 End-of-Life

With VMware vSphere 7 reaching end-of-life in October 2025, Google urges organizations to re-architect virtual infrastructure with security in mind. Neglecting to do so could expose enterprises to crippling ransomware campaigns that paralyze operations.