{
  "type": "malware",
  "spec_version": "2.1",
  "id": "malware--df0b59fe-0193-49ea-84e1-9207139c716c",
  "created": "2025-06-02T18:53:39.966Z",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "revoked": false,
  "external_references": [
    {
      "source_name": "mitre-attack",
      "url": "https://attack.mitre.org/software/S1217",
      "external_id": "S1217"
    },
    {
      "source_name": "Google Cloud Threat Intelligence ESXi VIBs 2022",
      "description": "Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.",
      "url": "https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence"
    }
  ],
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "2025-06-03T18:53:01.340Z",
  "name": "VIRTUALPITA",
  "description": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. [VIRTUALPITA](https://attack.mitre.org/software/S1217) has been in use since at least 2022 including by [UNC3886](https://attack.mitre.org/groups/G1048) who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)",
  "is_family": true,
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_platforms": [
    "ESXi",
    "Linux"
  ],
  "x_mitre_deprecated": false,
  "x_mitre_domains": [
    "enterprise-attack"
  ],
  "x_mitre_version": "1.0",
  "x_mitre_attack_spec_version": "3.2.0",
  "x_mitre_aliases": [
    "VIRTUALPITA"
  ]
}