China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines

Estimated Reading Time: 9 minutes

Key Takeaways:

  • Discovery of the MAESTRO toolkit used for advanced guest-to-host hypervisor escapes.
  • Exploitation of three critical VMware zero-days (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) before public disclosure.
  • Insights into the Chinese contractor ecosystem, specifically the offensive operations of Knownsec and the 404 Lab.
  • Technical details on VSOCKpuppet, a backdoor that bypasses traditional network monitoring via Virtual Sockets.
  • Strategic defensive recommendations for securing virtualization infrastructure and monitoring supply chain risks.

Table of Contents:

In late 2025, technical analysis revealed a targeted campaign where China-linked hackers exploit VMware ESXi zero-days to escape virtual machines. This intrusion utilized a sophisticated toolkit, designated as MAESTRO, to bypass guest-to-host isolation and achieve code execution on the underlying hypervisor. The activity, observed in December 2025, involved the exploitation of three specific vulnerabilities-CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226-which were disclosed as zero-days by Broadcom in March 2025. These vulnerabilities allow an attacker with administrative privileges on a guest virtual machine (VM) to leak memory or execute code within the Virtual Machine Executable (VMX) process.

The campaign utilized a compromised SonicWall VPN appliance as the initial access vector. Following successful entry, the threat actors deployed an exploit chain that researchers believe was developed as early as February 2024, more than a year before public disclosure. This timeline suggests a well-resourced development environment consistent with state-aligned contractor operations. PurpleOps provides a cyber threat intelligence platform that tracks these specific advanced persistent threat (APT) toolsets to assist organizations in early breach detection.

The Technical Orchestration of the Escape

The technical orchestration of this escape relies on a multi-component toolkit that prioritizes stealth and direct communication with the ESXi host. The primary orchestrator, exploit.exe (MAESTRO), utilizes several embedded binaries to facilitate the attack. These include devcon.exe, used to disable guest-side VMCI drivers, and MyDriver.sys, an unsigned kernel driver that contains the core exploit logic.

To bypass modern operating system protections, the actors load MyDriver.sys into kernel memory using the open-source Kernel Driver Utility (KDU). Once the driver is active, it identifies the specific ESXi version running on the host and triggers the exploit chain for CVE-2025-22226 and CVE-2025-22224. This allows the attacker to write shellcode directly into the memory of the VMX process.

The MAESTRO Toolkit and VSOCKpuppet Persistence

The final stage of the escape exploits CVE-2025-22225, an arbitrary write vulnerability described by VMware as a “sandbox escape.” The toolkit overwrites a function pointer within the VMX process, redirecting legitimate code execution to the attacker’s shellcode. Once the shellcode executes, it establishes a foothold on the ESXi host via a 64-bit ELF backdoor called VSOCKpuppet.

VSOCKpuppet communicates over Virtual Sockets (VSOCK) port 10000. This is a critical technical detail because VSOCK facilitates direct communication between the guest VM and the hypervisor, bypassing traditional network stacks. This communication is invisible to standard network monitoring tools, making detection of the backdoor traffic difficult without specialized real-time ransomware intelligence and host-level monitoring. A secondary binary, client.exe (GetShell Plugin), allows the actors to send commands from any guest Windows VM on the compromised host to the compromised ESXi layer.

The toolkit’s development paths include simplified Chinese strings, such as “全版本逃逸–交付” (translated: “All version escape – delivery”). This points to a developer operating in a Chinese-speaking region with access to high-end offensive research.

Broadening the Threat: Trend Micro and Condé Nast Breaches

While the VMware exploitation represents a high-tier technical intrusion, other recent vulnerabilities and breaches demonstrate the diverse tactics used by contemporary threat actors. Trend Micro recently addressed a critical remote code execution (RCE) flaw in on-premise versions of Apex Central for Windows. Tracked as CVE-2025-69258 with a CVSS score of 9.8, this vulnerability involves LoadLibraryEX. An unauthenticated remote attacker can load a malicious DLL into a key executable, resulting in code execution under the SYSTEM context.

Additionally, two denial-of-service (DoS) vulnerabilities-CVE-2025-69259 and CVE-2025-69260-were identified in the same MsgReceiver.exe component. These flaws underscore the necessity for rapid patch management and supply-chain risk monitoring to ensure that endpoint security managers do not themselves become the primary entry point for attackers.

In the realm of data theft, a hacker using the alias “Lovely” claimed to be selling nearly 40 million user records from Condé Nast. The dataset reportedly includes email addresses, phone numbers, and physical addresses. Organizations can utilize a dark web monitoring service to identify if their corporate credentials or brand assets are appearing in these illicit markets. This type of brand leak alerting is essential for mitigating the fallout of third-party breaches.

The Contractor Ecosystem: Insights from the Knownsec Leak

The sophistication seen in the ESXi zero-day exploits is better understood by examining the internal operations of Chinese cyber contractors. In late 2025, a significant data leak from the Chinese firm “Knownsec” (知道创宇) provided a detailed view of the offensive intelligence pipeline supporting state operations. While Knownsec publicly positions itself as a defensive security provider, the leaked documents reveal a deep integration with China’s security and military apparatus.

Knownsec operates via specialized divisions like the 404 Lab, which focuses on exploit research and offensive engineering. The leaked materials show that Knownsec provides tools for identity tracking, infrastructure reconnaissance, and targeted intrusions to Public Security Bureaus (PSBs) and defense research institutes.

The company’s architecture is optimized for a multi-layered production line:

  • Strategic Layer: Executive leadership aligns project goals with national strategic priorities.
  • Operational Layer: Project managers oversee the integration of toolsets like the GhostX offensive platform and the Un-Mail email interception tool.
  • Technical Layer: Engineers develop specific exploits, radar algorithms for network mapping, and data-fusion systems.

Global Reconnaissance and TargetDB

A central component of the Knownsec ecosystem is ZoomEye, a global cyberspace mapping platform. Unlike public scanners, ZoomEye functions as a persistent intelligence sensor grid with over 40,000 component fingerprints and a 7-to-10-day recrawl cycle. This data feeds into TargetDB (关基目标库), a library containing over 378 million classified IPs and 24,000 organizations.

TargetDB annotates critical infrastructure across 26 geographic regions, including military units, government ministries, and telecom operators. This scale of data collection supports social-engineering efforts by providing the necessary PII to de-anonymize targets through correlations with LinkedIn, Yahoo, and Facebook info.

Offensive Capabilities: GhostX and Passive Radar

Knownsec’s “GhostX” suite is a multi-vector exploitation framework designed for browser fingerprinting, password extraction, and DNS hijacking. It incorporates anti-forensic techniques like code mixing and signatureless execution to evade breach detection systems.

Another tool, Passive Radar (无源雷达), allows for internal network discovery without generating detectable traffic. By ingesting packet capture (PCAP) data, it identifies internal IP schemes and lateral-movement opportunities. For defenders, these capabilities highlight the importance of using a cyber threat intelligence platform to monitor for the specific TTPs associated with these contractor-developed tools.

Technical Analysis of Indicators of Compromise (IOCs)

The Knownsec leak and the VMware campaign provide specific IOCs and behavioral patterns. Targeted assets included Fortinet and Sophos gateways at major insurance companies and banks in Taiwan, such as:

  • Nan Shan Life Insurance: 210.242.194.198 (Fortinet FortiGate)
  • Hua Nan Commercial Bank: 219.80.43.14 (Fortinet FortiGate)
  • Taipower: 61.65.236.240 (Check Point SVN)

Organizations should utilize a live ransomware API to automate the blocking of known malicious infrastructure as it is identified by intelligence feeds.

Practical Takeaways for Technical and Non-Technical Readers

For Technical Teams and Engineers:

  • Hypervisor Isolation: Implement strict network segmentation for ESXi management interfaces.
  • Log Correlation: Monitor for unusual driver loading events, specifically the use of the Kernel Driver Utility (KDU).
  • Patching Priority: Prioritize patches for virtualization software and VPN appliances.

For Business Leaders and Managers:

PurpleOps Expertise in Hypervisor and APT Defense

PurpleOps specializes in identifying and mitigating high-tier threats like those demonstrated in the VMware ESXi zero-day campaign. By leveraging real-time ransomware intelligence and advanced breach detection methodologies, we assist organizations in hardening their virtualization environments.

Our teams provide deep-dive analysis of contractor-driven ecosystems. We integrate intelligence to ensure our clients are aware of new toolkits and exploitation techniques before they are widely deployed. Explore our resources to learn more:

Frequently Asked Questions

What are the primary CVEs used in the MAESTRO toolkit?
The toolkit exploits CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. These vulnerabilities allow for memory leaks, arbitrary writes, and code execution within the ESXi VMX process.

How does VSOCKpuppet bypass network monitoring?
VSOCKpuppet communicates via Virtual Sockets (VSOCK), which facilitates direct traffic between a guest VM and the hypervisor. This path bypasses traditional virtual and physical network stacks, making it invisible to standard NIDS/NIPS tools.

What is the role of the Knownsec 404 Lab?
The 404 Lab is the offensive research division of Knownsec. It is responsible for developing zero-day exploits, advanced malware frameworks like GhostX, and maintaining reconnaissance databases for state-aligned operations.

How can organizations detect this type of hypervisor escape?
Detection requires host-level monitoring for unsigned driver loading (via KDU), auditing VSOCK activity on ESXi hosts, and monitoring for unusual VMX process behavior. Implementing a Zero Trust architecture and robust endpoint visibility is critical.