S1218 VIRTUALPIE
VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).1
| Item | Value |
|---|---|
| ID | S1218 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 June 2025 |
| Last Modified | 04 June 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.006 | Python | VIRTUALPIE is a Python-based backdoor malware.12 |
| enterprise | T1059.012 | Hypervisor CLI | VIRTUALPIE is capable of command line execution on compromised ESXi servers.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | VIRTUALPIE can use a custom RC4 encrypted protocol for C2 communications.12 |
| enterprise | T1570 | Lateral Tool Transfer | VIRTUALPIE has file transfer capabilities.1 |
| enterprise | T1571 | Non-Standard Port | VIRTUALPIE has created listeners on hard coded TCP port 546.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.006 | vSphere Installation Bundles | VIRTUALPIE has been installed on VMware ESXi servers through malicious vSphere Installation Bundles (VIBs).1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1048 | UNC3886 | 1324 |
References
-
Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. ↩↩↩↩↩↩↩↩
-
Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. ↩↩↩
-
Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025. ↩
-
Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. ↩