Deploying VSOCKpuppet: Unmasking how Chinese Threat Actors Exploited ESXi Zero-Days Before Disclosure

Network virtualization infrastructure continues to be a high-value target for well-resourced threat actors. Recent analysis has revealed a sophisticated intrusion campaign in which Chinese-speaking attackers leveraged undeclared zero-day vulnerabilities in VMware ESXi hypervisor environments, possibly months before those flaws were publicly disclosed, to obtain deep, persistent access and enable virtual machine (VM) escape from guest systems into the host hypervisor.

At the center of this activity is a bespoke exploit toolkit orchestrated by advanced attackers, with clear signs of pre-disclosure development and covert deployment. The campaign underscores the growing risk that state-aligned adversaries pose to critical infrastructure built on virtualized platforms.

These operations are distinct from large-scale ransomware or commodity malware campaigns. Instead, they reflect the hallmarks of advanced espionage and targeted compromise:

Long-Term Exploitation: Indicators suggest the exploit toolkit known as MAESTRO was developed and used more than a year before public disclosure of the underlying vulnerabilities.Complex Exploit Chain: The attack combines multiple vulnerabilities in sequence to achieve hypervisor compromise and persistence.Stealth & Evasion: Techniques such as modifying firewall rules post-compromise and using unsigned drivers hint at efforts to evade detection.Targeted Objective: Full control over ESXi hosts allows attackers to reach all hosted guest VMs and potentially stage further lateral movement.

The timeline and methodology of the observed campaign reveal a sophisticated multi-stage attack designed to bypass defenses and deeply entrench within virtual infrastructure.

• Enterprise and datacenter VMware ESXi environments.
• Networks with externally accessible VPN gateways (compromised for initial access).

• Initial Access Vector: Compromised SonicWall VPN appliances provided the foothold for entering target environments.
• Exploit Chain: The custom toolkit MAESTRO chained multiple ESXi vulnerabilities to achieve VM escape into the hypervisor.
• Lateral Movement: Use of domain credentials to move within corporate networks.
• Persistence: Deployment of backdoor components that maintain control over ESXi and guest VMs.

The campaign relied on a chained exploitation of multiple VMware ESXi zero-day vulnerabilities, enabling attackers to escape from a guest VM and gain control of the underlying hypervisor. Evidence indicates these flaws were exploited in the wild long before public disclosure.

These flaws were collectively addressed in VMware’s advisory VMSA-2025-0004 in March 2025, but evidence shows exploit development as early as February 2024, predating disclosure by over a year.

Attackers initially gained access through a compromised SonicWall VPN appliance, likely using it to pivot into the corporate network and escalate their privileges.

Once inside, a coordinated exploit suite named MAESTRO carried out the following steps:

1. Disable VMCI drivers to weaken OS kernel integrity checks.
2. Deploy an unsigned exploit driver via Bring-Your-Own-Driver (BYOD) techniques to bypass signature enforcement.
3. Leak VMX process memory to circumvent Address Space Layout Randomization (ASLR).
4. Trigger chained vulnerability exploits to break out of the VM sandbox and gain kernel-level access.

After gaining hypervisor control, the attackers installed a backdoor dubbed VSOCKpuppet, which leverages ESXi’s VSOCK communication channels to:

• Maintain remote control from guest VMs.
• Evade traditional VM-to-host monitoring.
• Restore drivers to reduce forensic detection.

The campaign included efforts to suppress detection and complicate incident response:

• Modified firewall rules to obstruct external monitoring while maintaining internal traffic flow.
• Unsigned driver loading, defeating kernel integrity checks.

The combination of stealthy memory manipulation and selective traffic shaping suggests the actors prioritized persistence and low visibility.

Compromised VPN Access -> ESXi Target Identification -> MAESTRO Exploit Deployment -> VMCI Disablement & Memory Leak -> VM Escape (Zero-Day Chain) -> Hypervisor -> Compromise -> VSOCKpuppet Backdoor -> Persistent Control of All Guest VMs

Given the long-standing and covert nature of this exploitation campaign, urgent defensive measures are essential:

Patch ESXi Hosts: Apply VMware’s latest updates based on the security advisory immediately.

Harden VPN Infrastructure: Ensure VPN appliances are up-to-date and segmented, with strict access controls.

Network Segmentation: Limit VPN access to critical internal systems only; isolate virtualization management interfaces.

Monitor VSOCK Activity: Watch for unusual inter-VM socket traffic, which may signal stealthy C2 activity.

Review Firewall Policies: Detect unexpected rule changes and unauthorized openings that could facilitate lateral movement.

Credential Hygiene: Reset domain and privileged account credentials if compromise is suspected.

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.