WEEKLY THREAT ROUNDUP

August 1

In this week’s roundup, we examine Fire Ant’s hypervisor-level espionage campaign, Scattered Spider’s ransomware deployment through VMware ESXi, a third-party breach affecting most Allianz Life US customers, ShinyHunters’ involvement in high-profile data thefts targeting Qantas and LVMH, and fresh FBI and CISA warnings about Scattered Spider’s evolving tactics. Read on!

Threat RoundUp - August 1st, 2025

Fire Ant: A Deep-Dive into Hypervisor-Level Espionage

Sygnia’s investigation into Operation Fire Ant reveals a rare and highly sophisticated espionage campaign targeting VMware ESXi at the hypervisor level. Believed to be backed by a Chinese state-sponsored threat group, the operation leveraged compromised vCenter servers to implant stealthy persistence mechanisms, bypassing traditional detection by abusing native binaries and host startup scripts.

Read More
Joseph Comps

Joseph Comps, Threat Intelligence Analyst:
“Groups like “Fire Ant” (suspected to be UNC3886) are still actively exploiting CVE-2023-34048 (a two-year-old out-of-bounds write vulnerability in vCenter Server’s DCERPC protocol) to bypass authentication mechanisms and compromise ESXi hypervisors for long-term persistence. These threat actors continue to prefer targeting virtualization and hypervisor infrastructure for initial access and lateral movement to critical systems, due to the difficulty of detection and the resilience of such environments against eradication efforts.”

On Fire Ant: A Deep-Dive into Hypervisor-Level Espionage

Chris Goodman

Chris Goodman, Director of Solutions Engineering:
“Scattered Spider is now targeting VMware ESXi and vCenter servers using advanced social engineering to reset credentials, enable SSH, extract Active Directory data, disable backups, and deploy ransomware directly from the hypervisor layer—all within hours. This shift highlights the urgent need for infrastructure-aware defenses: harden vSphere (lockdown mode, disable SSH, VM encryption), enforce phishing-resistant MFA, segment Tier 0 assets, and strengthen monitoring for suspicious admin activity. Hypervisor security can no longer be an afterthought.”

On Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure

Scattered Spider Hijack

Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure

Scattered Spider is now hijacking VMware ESXi hypervisors to maintain persistent access and evade detection, marking a dangerous escalation in its ransomware tactics against enterprise infrastructure.
Read More
Allianz

Third-Party Breach Impacts Majority of Allianz Life US Customers

A third-party data breach at law firm HWL Ebsworth has exposed sensitive customer information belonging to insurance giant Allianz. The breach highlights ongoing supply chain risks and the importance of vetting third-party vendors for cybersecurity resilience.
Read More
ShinyHunters

ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH

ShinyHunters has been linked to the recent data theft attacks exploiting Salesforce systems at Qantas, Allianz Life, and LVMH, underscoring the growing threat of supply chain compromises targeting cloud-based platforms.
Read More
Allianz

FBI, CISA warn about Scattered Spider’s Evolving Tactics

The FBI and CISA issued a joint advisory detailing Scattered Spider’s advanced social engineering and persistence tactics, urging organizations to strengthen identity verification and access controls across their environments.
Read More