T1505.006: vSphere Installation Bundles
Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.
VIBs can be broken down into three components:[1]
* VIB payload: a `.vgz` archive containing the directories and files to be created and executed on boot when the VIBs are loaded. * Signature file: verifies the host acceptance level of a VIB, indicating what testing and validation has been done by VMware or its partners before publication of a VIB. By default, ESXi hosts require a minimum acceptance level of PartnerSupported for VIB installation, meaning the VIB is published by a trusted VMware partner. However, privileged users can change the default acceptance level using the `esxcli` command line interface. Additionally, VIBs are able to be installed regardless of acceptance level by using the esxcli software vib install --force command. * XML descriptor file: a configuration file containing associated VIB metadata, such as the name of the VIB and its dependencies.
Adversaries may leverage malicious VIB packages to maintain persistent access to ESXi hypervisors, allowing system changes to be executed upon each bootup of ESXi – such as using `esxcli` to enable firewall rules for backdoor traffic, creating listeners on hard coded ports, and executing backdoors.[2] Adversaries may also masquerade their malicious VIB files as PartnerSupported by modifying the XML descriptor file.[2]
Analyst context for executives and security teams
This technique matters because ESXi hypervisors are foundational infrastructure: if a malicious vSphere Installation Bundle persists on a host, changes can survive reboot and affect the virtualization layer rather than a single guest system. For leaders, the key risk is not just malware on a server; it is unauthorized persistence in the platform that runs many workloads.
Executive priority
Prioritize governance over who can install VIBs, change ESXi acceptance levels, or use forced installation options. This is a persistence technique, so incident decisions should include whether rebooting or rebuilding a host is sufficient, and audit evidence should show that installed bundles, signatures, boot integrity, and administrative actions are reviewed. The ATT&CK relationships to Code Signing, Boot Integrity, and Audit make this a control-validation issue as much as a detection issue.
Technical view
SOC, detection, and IR teams should validate visibility into ESXi administrative activity and VIB state. ATT&CK does not provide official detection text for this object, but it does link detection strategy DET0535: Detect Abuse of vSphere Installation Bundles for Persistent Access. Practical validation should focus on VIB installation events, use of esxcli to change acceptance levels, forced VIB installation, unexpected VIB metadata or XML descriptor changes, startup tasks created by VIB payloads, custom firewall rules, and listeners or backdoors that appear after boot. Treat this as a sub-technique of Server Software Component persistence in an ESXi context.
Likely telemetry
- ESXi host administrative command history or logs, especially esxcli activity
- VIB inventory, package metadata, XML descriptor contents, signatures, and acceptance levels
- Events or records for VIB installation, removal, update, or forced installation
- Configuration changes to ESXi firewall rules and startup behavior
- Boot-time execution evidence and persistence-related file changes from VIB payloads
Detection direction
- Validate whether DET0535-style analytics are implemented for VIB abuse rather than only general ESXi administration.
- Baseline expected VIBs, publishers, acceptance levels, dependencies, and host roles; alert on unexpected additions or metadata changes.
- Monitor for acceptance-level changes and forced installation behavior because the description notes privileged users can alter acceptance requirements or install regardless of acceptance level.
- Correlate VIB changes with new firewall rules, startup tasks, binaries, or network listeners after reboot.
- Tune for legitimate administrator maintenance windows and approved partner-supported updates to reduce false positives.
Mitigation priorities
- Enforce code signing expectations for software installed on ESXi hosts, aligned to ATT&CK mitigation M1045.
- Validate boot integrity and trusted startup behavior for hypervisors, aligned to M1046.
- Maintain routine auditing of ESXi configuration, installed VIBs, administrative actions, and firewall changes, aligned to M1047.
- Restrict privileged ability to install VIBs, change acceptance levels, or use forced installation options to tightly controlled administrative workflows.
- Include ESXi VIB review in incident response scoping when persistence on virtualization infrastructure is suspected.
Analyst notes and limits
The supplied ATT&CK relationships identify this as ESXi persistence and connect it to DET0535, M1045 Code Signing, M1046 Boot Integrity, M1047 Audit, parent technique T1505 Server Software Component, UNC3886, and VIRTUALPIE. The VIRTUALPIE relationship specifically notes installation via malicious VIBs in the supplied context. Use those relationships for prioritization, but validate exposure and telemetry locally.
MITRE provides no official detection text for this technique in the supplied object. This take does not assert active exploitation, customer exposure, or guaranteed detection. Local ESXi versions, logging configuration, administrative processes, and approved VIB inventories are required to determine actual risk and coverage.
vSphere Installation Bundles
Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.
VIBs can be broken down into three components:[1]
* VIB payload: a `.vgz` archive containing the directories and files to be created and executed on boot when the VIBs are loaded. * Signature file: verifies the host acceptance level of a VIB, indicating what testing and validation has been done by VMware or its partners before publication of a VIB. By default, ESXi hosts require a minimum acceptance level of PartnerSupported for VIB installation, meaning the VIB is published by a trusted VMware partner. However, privileged users can change the default acceptance level using the `esxcli` command line interface. Additionally, VIBs are able to be installed regardless of acceptance level by using the esxcli software vib install --force command. * XML descriptor file: a configuration file containing associated VIB metadata, such as the name of the VIB and its dependencies.
Adversaries may leverage malicious VIB packages to maintain persistent access to ESXi hypervisors, allowing system changes to be executed upon each bootup of ESXi – such as using `esxcli` to enable firewall rules for backdoor traffic, creating listeners on hard coded ports, and executing backdoors.[2] Adversaries may also masquerade their malicious VIB files as PartnerSupported by modifying the XML descriptor file.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1505 | Server Software Component | This object subtechnique of Server Software Component. |
Groups, software, and campaigns
G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
S1218: VIRTUALPIE
VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 40691869be97… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
VMware VIBs
Kyle Gleed. (2011, September 13). What's in a VIB?. Retrieved March 27, 2025.
Open source URL -
[2]
Google Cloud Threat Intelligence ESXi VIBs 2022
Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
Open source URL -
[3]
mitre-attack T1505.006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.