A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia. The hackers are targeting VMware ESXi hypervisors, a type of software that controls and hosts virtual machines for enterprise networks. They are using custom tools that grant persistent access while evading detection by standard security measures such as endpoint detection and response (EDR) systems.[1]
Sygnia is tracking the campaign under the name Fire Ant, which shares similarities with UNC3886, based on what its regional head of incident response described as “unique” engagements.
Known in industry circles as "Fire Ant," this cyber-espionage group has become notorious for targeting critical infrastructure by exploiting vulnerabilities in virtualization and networking systems at scale. Fire Ant’s campaigns are marked by their use of bespoke malware and advanced persistence mechanisms that enable long-term, covert access to high-value networks, especially those underpinning defense and technology sectors. Security researchers note that the group's tradecraft involves not only technical prowess but also adaptive strategies, shifting attack vectors as defenders respond, and deploying new custom toolsets to avoid detection. While attribution remains complex, Fire Ant's sustained targeting of enterprises worldwide and the sophistication of its operations strongly suggest links to nation-state sponsorship.
Sygnia follows UNC3886’s spying activities being highlighted by Singapore’s national security minister, Kasiviswanathan Shanmugam, who said the group was behind a series of incidents affecting the country's critical national infrastructure. “The intent of this threat actor in attacking Singapore is quite clear. It is going after high value strategic threat targets, vital infrastructure that deliver essential services,” Shanmugam said. While Singapore’s government did not explicitly name China, the Chinese embassy responded by rejecting the allegations as “groundless smears and accusations.”
UNC3886 is a sophisticated and stealthy hacking group that has been linked to a range of cyber-espionage campaigns targeting critical infrastructure and high-value organizations worldwide. Analysts attribute the group’s operations to state sponsorship, given their advanced capabilities and their focus on strategic assets, including defense, technology, and telecommunications. UNC3886 has garnered particular attention for its ability to compromise enterprise-grade systems such as VMware and Fortinet, often deploying custom malware to maintain persistence while evading even advanced security monitoring. Their activities have not only triggered national security alerts but have also led to heightened scrutiny and warnings from both government officials and cybersecurity leaders.
Yoav Mazor, Sygnia’s head of incident response for Asia Pacific and Japan, who is himself based in Singapore, reported that the company’s report was not based on the specific entities the minister mentioned, but considered its research on Fire Ant to “definitely correlate” with the campaign Shanmugam complained about.
The company also linked UNC3886 to a campaign last year to deploy custom backdoors on compromised Juniper Network routers, stating it appeared to be “focused mainly on defense, technology, and telecommunication organizations located in the US and Asia.” The group had previously been linked to compromises discovered in Fortinet and VMware systems for the sake of spying on defense, government, tech and telecom organizations.
The attackers are “definitely” pursuing strategic intelligence, said Mazor, who added that Sygnia published its technical report to highlight the severe global risk posed by hypervisor-level intrusions. He emphasized that Fire Ant's operations extended well beyond Asia Pacific.
Mazor described the multiple engagements that Sygnia had worked on as unique. “Usually in a forensic investigation, we’re investigating things that have already happened, and the main job is to investigate, to fix what needs to be fixed, and then move on,” he said. “In these specific incidents, once we already understood the threat actor, there was the operational task of actually getting them out. Eradication was a lengthy process. While we were working on closing a specific entry vector, the threat actor was leveraging another entry vector to establish new ones,” he said.
They became more operational engagements, including tracking what the threat actor was doing while they were doing it to be able to eventually evict them from the network. “A lot of times, when we know the threat actor sees us try to eradicate them, they might hold back and come back later. Here it didn’t seem like the threat actor was necessarily holding back. They did change tools, they did at some point use tools that we hadn’t seen before, but it looked like they were there for the operational race.”
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://therecord.media/stealthy-china-spies-fire-ant-virtualization-software
Comments