Overview

• UNC3944 gains initial access through phone-based help-desk impersonation that breaches Active Directory credentials
• After securing AD privileges, attackers hijack VMware vCenter Server, reboot it into single-user mode, and deploy Teleport to maintain covert hypervisor access
• From the hypervisor layer, they pivot into ESXi hosts to steal credential databases, disable backups, and launch ransomware that evades in-guest defenses
• The campaigns target major US retail, airline, and insurance organizations and can move from initial breach to full encryption in mere hours
• Security experts advise shifting from endpoint detection to virtualization-focused defenses, including disabling direct ESXi shell access, encrypting VM data, isolating backups, and enforcing phishing-resistant multi-factor authentication