As FIN groups continue to execute fast-impact ransomware campaigns and nation-state APTs favor long-term infrastructure control, hypervisors have become the new high ground. This talk explores a set of stealthy, reliable persistence techniques targeting VMware ESXi, developed and refined through hands-on research and real-world incident analysis.
Joseph Comps, Threat Intelligence Analyst at Vali Cyber, and Nathan Montierth, Vali Cyber’s Threat Intelligence Lead, will break down five practical persistence mechanisms that allow adversaries to remain resident in virtualized environments—even through reboots, patching cycles, and partial remediation efforts. These include:
- Payload injection via local.sh and profile.local
- Malicious services in /etc/init.d
- Symlink hijacking of trusted binaries (for example, esxcli)
- Custom VIB (vSphere Installation Bundle) creation and implantation
Each approach is designed to leverage living-off-the-land (LOTL) native binaries and configuration paths, turning ESXi’s minimalism into an attacker’s advantage. If you’re responsible for red team ops, adversary emulation, or just curious how attackers achieve deep infrastructure persistence, this session will show you a few different ways to persist beneath the hypervisor.
About the Speakers
Joseph Comps, Threat Intelligence Analyst, Vali Cyber
Joe is a Threat Intelligence analyst at Vali Cyber and conducts various Red Team assessments for the company. He has a Bachelor’s Degree in Cybersecurity from the University of Maryland, and spent the majority of his initial career in the Marine Corps and Air Force Special Warfare
Nathan Montierth, Threat Intelligence Lead, Vali Cyber
Nathan Leads the Threat Intelligence team at Vali Cyber. He graduated with a Degree in Computer Science from the US Air Force Academy and spent his early career in offensive cyber operations with the US Air Force.