Overview
- Researchers say attackers breached a SonicWall VPN and used a stolen Domain Admin account to pivot via RDP before launching a guest-to-hypervisor escape against ESXi in December 2025.
- The toolkit likely chained three ESXi flaws disclosed in March 2025 (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), though Huntress stops short of a definitive one-to-one match.
- Components included an orchestrator dubbed MAESTRO, an unsigned kernel driver loaded via KDU, a VSOCK-based ESXi backdoor called VSOCKpuppet, and a GetShell client for command and file operations.
- Build paths and timestamps suggest development as early as November 2023 and February 2024, with simplified Chinese strings indicating a well-resourced developer in a Chinese-speaking region.
- Huntress disrupted the operation before its final stage and urges patching ESXi and monitoring for YARA/Sigma indicators, VSOCK activity, and unsigned driver loading.