The Spider Hits the Airport After Flying in First Class

In a campaign that mixes cunning with surgical precision, the cybercriminal group known as Scattered Spider is taking ransomware attacks to a new altitude. This notorious collective—also tracked under names like UNC3944, Octo Tempest, and Muddled Libra—is now actively targeting VMware ESXi hypervisors across critical U.S. infrastructure sectors, including retail, aviation, and transportation.

Rather than leveraging software vulnerabilities, the attackers rely on aggressive social engineering: they pick up the phone. By impersonating privileged users in well-crafted calls to IT support desks, they gain the credentials needed to pivot through Active Directory and virtual environments until they take control of the hypervisor layer itself. From there, they deploy custom ransomware, destroy backups, and encrypt systems at scale—entirely bypassing endpoint protections.

Victims: Admins on the Spider Web

Scattered Spider targets system administrators and IT help desk staff at major U.S. enterprises responsible for managing VMware vSphere environments and Active Directory. These victims are not chosen at random—the attackers carefully collect internal data such as org charts, onboarding guides, and IT documentation to convincingly impersonate high-privilege users.

This degree of preparation allows them to orchestrate convincing phone calls to IT support, during which they impersonate executives or privileged sysadmins and request urgent password resets. By exploiting routine identity verification weaknesses, they gain the first foothold in some of the most sensitive virtual infrastructure.

Breach Method: Eight-Legged Passwords and Hypervisor Control

The entry vector begins with targeted phone calls to internal IT support lines. Using names and roles gathered from company documents or LinkedIn scraping, Scattered Spider actors request password resets for Active Directory (AD) and VMware vSphere accounts belonging to privileged users. Once these credentials are reset and handed over by the help desk, the attackers immediately log into vCenter and ESXi.

Inside the virtual environment, they move quickly:

• SSH access is enabled on ESXi hosts (if not already active),

• A persistent reverse shell is deployed using Teleport, establishing covert control,

• They perform a “disk-swap” attack by detaching the virtual disk of a Domain Controller (DC), attaching it to another VM under their control, and extracting the NTDS.dit database.

This stolen database contains credential hashes, group policy information, and sensitive organizational data, which can be used to further infiltrate systems or resold on the dark web.

Once persistence and access are secured, the final stage of the breach begins. The attackers:

• Delete backup jobs, snapshots, and repositories to eliminate recovery options,

• Deploy a custom ransomware binary directly from the hypervisor via SCP or SFTP,

• Encrypt virtual machines and infrastructure without triggering endpoint detection tools.

This end-to-end chain—from initial compromise to full encryption—can occur in just a few hours.

Spiders grounded

To defend against the tactics used in this campaign, especially in environments relying on vSphere and ESXi, organizations should take the following countermeasures:

• Disable SSH access on ESXi hosts unless absolutely necessary, and monitor for reactivation attempts.

• Harden support desk procedures, requiring strong identity verification before performing any password resets—especially for privileged accounts.

• Limit Active Directory-to-vSphere account mappings, reducing the blast radius in case of compromise.

• Monitor vCenter logs for signs of password resets, unusual login times, or Teleport-related activity.

• Isolate backup systems from the virtual infrastructure and test their integrity regularly to ensure they can be restored if encryption occurs.

• Educate IT support teams on social engineering techniques, including voice-based phishing (vishing), and regularly test them with simulated incidents.

• Restrict access to sensitive internal documentation like org charts and IT handbooks that could be weaponized in impersonation attacks.

Scattered Spider continues to prove that the weakest link in security often isn’t code—it’s people. Their ability to combine social engineering with high-level technical maneuvering makes them a top-tier threat in today’s landscape. Organizations operating critical infrastructure must recognize that identity and trust are now battlegrounds, and failure to protect them can lead to total virtual collapse.

https://thehackernews.com/2025/07/scattered-spider-hijacks-vmware-esxi-to.html?m=1