S1217: VIRTUALPITA
VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. VIRTUALPITA has been in use since at least 2022 including by UNC3886 who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.[1]
Analyst context for executives and security teams
VIRTUALPITA matters because it targets virtualization management layers: ESXi and Linux vCenter variants are described as a passive backdoor capable of command execution, file transfer, and starting or stopping processes. For leaders, the business issue is not just malware on a server; compromise at the hypervisor or vCenter layer can undermine visibility, incident response confidence, and the availability of workloads that depend on that virtualization platform.
Executive priority
Prioritize validation of ESXi and vCenter security monitoring, administrative change control, and recovery readiness. The supplied ATT&CK relationships connect VIRTUALPITA to persistence, stealth, execution, command-and-control, lateral tool transfer, VM discovery, ESXi administration commands, command-history impairment, and service stopping. This makes it relevant to business continuity, audit evidence for privileged administration, and incident decision-making where virtual infrastructure supports critical services.
Technical view
SOC and IR teams should treat this as a virtualization-focused backdoor profile. Validate monitoring on ESXi and Linux vCenter systems for unexpected VIB-related installation activity, boot or logon initialization script changes, masqueraded services or files, Unix shell and Python execution, unusual file transfers, non-standard port communications, VM enumeration activity, ESXi administration command usage, command-history logging impairment, and service stop events. The relationship to UNC3886 is supplied by ATT&CK, but local investigations should avoid assuming attribution without corroborating evidence.
Likely telemetry
- ESXi host logs and vCenter management logs
- VIB installation and configuration change records
- Service/process start and stop events on ESXi and Linux vCenter systems
- Boot, logon, and initialization script file integrity telemetry
- Shell and Python execution logs where available
Detection direction
- Because ATT&CK provides no official detection text for VIRTUALPITA, start with behavior-based coverage mapped to the related techniques rather than malware-name alerts alone.
- Baseline legitimate ESXi and vCenter administration so unusual VIB installation, service naming, file locations, and ESXi administration command usage can be reviewed with lower false-positive noise.
- Correlate file transfer activity with subsequent shell/Python execution, service changes, or VM discovery on ESXi and Linux vCenter systems.
- Review monitoring blind spots on hypervisors, where endpoint tooling and command logging may be weaker than on standard servers.
- Tune for suspicious non-standard port communications from virtualization management assets, but account for approved management and backup tooling.
Mitigation priorities
- Harden and tightly govern administrative access to ESXi and vCenter systems, including change approval and privileged access review.
- Maintain authoritative baselines for installed VIBs, services, initialization scripts, file locations, and expected management ports.
- Improve logging retention and centralized collection for hypervisor and vCenter telemetry before an incident occurs.
- Restrict and monitor file transfer paths to and between virtualization infrastructure assets.
- Prepare IR procedures for virtualization-layer compromise, including evidence preservation, workload dependency analysis, and service recovery decisions.
Analyst notes and limits
The supplied ATT&CK object identifies VIRTUALPITA as a passive backdoor with ESXi and Linux vCenter variants, reportedly in use since at least 2022 and used by UNC3886. Relationship context links it to masquerading, initialization scripts, Unix shell and Python execution, ingress and lateral tool transfer, service stop, non-standard port communication, virtual machine discovery, ESXi administration commands, and command-history logging prevention.
ATT&CK provides no official detection guidance, no malware-level tactics, no aliases, and limited descriptive detail in the supplied object. This take does not assert current activity, customer exposure, attribution in a local incident, or guaranteed detection. Local telemetry, baselines, and administrative records are required to determine coverage and risk.
VIRTUALPITA
VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. VIRTUALPITA has been in use since at least 2022 including by UNC3886 who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.006 | Python Sub-technique | VIRTUALPITA can call a Python script to run commands on a targeted guest virtual machine.[1] |
| Enterprise | T1675 | ESXi Administration Command | VIRTUALPITA can execute commands on guest virtual machines from compromised ESXi hypervisors.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | VIRTUALPITA has the ability to upload and download files.[1] |
| Enterprise | T1489 | Service Stop | VIRTUALPITA can start and stop the `vmsyslogd` service.[1] |
| Enterprise | T1673 | Virtual Machine Discovery | VIRTUALPITA can target specific guest virtual machines for script execution.[1] |
| Enterprise | T1059.004 | Unix Shell Sub-technique | VIRTUALPITA has the ability to spawn a bash shell for script execution.[1] |
| Enterprise | T1037 | Boot or Logon Initialization Scripts | VIRTUALPITA can persist as an init.d startup service on Linux vCenter systems.[1] |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | VIRTUALPITA has utilized VMware service names and ports to masquerade as legitimate services.[1] |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | VIRTUALPITA samples have been found in `/usr/libexec/setconf/ksmd` and `/usr/bin/ksmd`, named to spoof the legitimate Kernel Same-Page Merging Daemon binary. [1] |
| Enterprise | T1570 | Lateral Tool Transfer | VIRTUALPITA is capable of file transfer and arbitrary command execution.[1] |
| Enterprise | T1690 | Prevent Command History Logging | VIRTUALPITA can impair logging by setting the `HISTFILE` environmental variable to `0` and stopping the `vmsyslogd` service.[1] |
| Enterprise | T1571 | Non-Standard Port | VIRTUALPITA has created listeners on hard coded TCP ports such as 2233, 7475, and 18098.[1] |
Groups, software, and campaigns
G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c4b8c62066f9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google Cloud Threat Intelligence ESXi VIBs 2022
Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
Open source URL -
[2]
mitre-attack S1217Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.