Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1218: VIRTUALPIE

VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).[1]

EnterpriseS1218MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

VIRTUALPIE matters because it targets the virtualization layer rather than a normal server workload. A lightweight Python backdoor on an ESXi host can give an intruder command execution, file transfer, and reverse shell capability near the foundation of many business services. For leaders, the practical issue is whether ESXi management, VIB integrity, IPv6 exposure, and hypervisor logging are governed and monitored with the same seriousness as endpoints and cloud control planes.

Executive priority

Prioritize this as a resilience and control-validation issue for organizations that run VMware ESXi. The ATT&CK context links VIRTUALPIE to malicious vSphere Installation Bundles, hypervisor command-line abuse, non-standard ports, encrypted command-and-control, and lateral tool transfer. Executives should ask whether virtualization administrators can prove which VIBs are authorized, whether ESXi hosts have sufficient logging and network visibility, and whether incident response plans include hypervisor-level containment and evidence preservation.

Technical view

SOC, detection engineering, and IR teams should validate coverage around ESXi hosts specifically, not just guest VMs. The relevant behaviors to review are Python execution on ESXi, hypervisor CLI activity such as ESXi management commands, VIB installation or persistence changes, unexpected file movement to or between hypervisors, IPv6 listener activity, non-standard port communications, reverse shell-like network patterns, and encrypted traffic that does not match expected management baselines. Because no official ATT&CK detection text is provided for VIRTUALPIE, detections should be built from the described malware capabilities and the mapped techniques: T1059.006, T1059.012, T1505.006, T1570, T1571, and T1573.001.

Likely telemetry

  • ESXi host logs and management events
  • vSphere/vCenter inventory and VIB installation records
  • Hypervisor command-line activity where available
  • Network flow records for ESXi management and host interfaces
  • IPv6 listener and connection telemetry involving ESXi hosts

Detection direction

  • Baseline authorized VIBs and alert on new, unsigned, unexpected, or changed VIBs on ESXi hosts.
  • Review ESXi network exposure for unexpected IPv6 listeners and non-standard ports, especially where ESXi hosts should only communicate with defined management systems.
  • Tune detections for hypervisor CLI activity that changes firewall rules, startup behavior, logging, VM state, or other host management functions outside approved maintenance windows.
  • Correlate file transfer events with administrator activity; treat unexplained tool movement involving ESXi hosts as high value for investigation.
  • Account for encrypted command-and-control limitations: network metadata, destination reputation, port/protocol mismatch, and deviations from ESXi management baselines may be more useful than payload inspection.

Mitigation priorities

  • Establish and maintain an authoritative inventory of ESXi hosts, approved VIBs, and authorized management tools.
  • Restrict ESXi management access to dedicated administrative networks and approved administrators; include IPv6 in access-control reviews.
  • Harden and monitor vSphere/ESXi administration paths, including privileged access, logging, and configuration-change review.
  • Validate that log forwarding from ESXi and vCenter is enabled, retained, and usable during incident response.
  • Create an incident response playbook for suspected hypervisor compromise, including evidence preservation, containment options, VIB review, and guest VM dependency considerations.
Analyst notes and limits

The supplied ATT&CK object identifies VIRTUALPIE as a Python backdoor for VMware ESXi with command execution, file transfer, reverse shell capability, and an IPv6 listener. Relationship context maps it to Python execution, hypervisor CLI execution, VIB persistence, lateral tool transfer, non-standard ports, and symmetric cryptography. UNC3886 is listed as a group that uses this malware, but this take does not infer current activity or customer exposure from that relationship alone.

MITRE provides no official detection guidance for this object, and the object lists no explicit tactics. Defensive recommendations therefore rely on the official description, external reference, platform field, and supplied ATT&CK relationships. Local ESXi architecture, logging configuration, IPv6 use, VIB policy, and administrative baselines are required to determine actual risk and detection feasibility.

Official MITRE ATT&CK definition

VIRTUALPIE

VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1059.006 Python Sub-technique

VIRTUALPIE is a Python-based backdoor malware.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1573.001 Symmetric Cryptography Sub-technique

VIRTUALPIE can use a custom RC4 encrypted protocol for C2 communications.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1571 Non-Standard Port

VIRTUALPIE has created listeners on hard coded TCP port 546.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022
Enterprise T1570 Lateral Tool Transfer

VIRTUALPIE has file transfer capabilities.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022
Enterprise T1505.006 vSphere Installation Bundles Sub-technique

VIRTUALPIE has been installed on VMware ESXi servers through malicious vSphere Installation Bundles (VIBs).CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022
Enterprise T1059.012 Hypervisor CLI Sub-technique

VIRTUALPIE is capable of command line execution on compromised ESXi servers.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022
Associated objects

Groups, software, and campaigns

Group Enterprise

G1048: UNC3886

UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1059.006: Python Enterprise uses · Group G1048: UNC3886 Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1571: Non-Standard Port Enterprise uses · Technique T1570: Lateral Tool Transfer Enterprise uses · Technique T1505.006: vSphere Installation Bundles Enterprise uses · Technique T1059.012: Hypervisor CLI Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d588d59302a7c68d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d588d59302a7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Google Cloud Threat Intelligence ESXi VIBs 2022

    Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.

    Open source URL
  2. [2]
    mitre-attack S1218
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use