Global leader in Incident Response divulges findings into persistent, long-term espionage campaigns targeting VMware ESXi and vCenter environments
Sygnia, the foremost global cyber readiness and response team, reveals the findings of their investigation into a prolonged espionage campaign by a China-nexus threat actor, targeting critical infrastructure. Named ‘Fire Ant’ by Sygnia, the adversary is actively leveraging advanced methods to gain access to virtualization and networking environments by creating multi-layer attack kill chains to infiltrate restricted and segmented network assets that were considered to be within isolated environments.
Since early 2025, Sygnia has tracked and responded to Fire Ant incidents, primarily targeting VMware ESXi and vCenter environments, as well as network appliances, to establish a foothold for initial access and long-term advanced persistence. Notably, Fire Ant displays high levels of resilience, actively and stealthily adapting to eradication and containment efforts, replacing toolsets, deploying redundant persistence backdoors and manipulating network configurations to re-establish access to compromised devices.
Cyber Technology Insights : ISG Recognizes GTT as a Leader in SASE and Managed SD-WAN Across U.S. and U.K.
“Fire Ant shows incredible advanced capabilities to infiltrate and conduct espionage campaigns, avoiding detection and multi-layered traditional security measures by targeting infrastructure blind spots. This highlights the level of resilience and danger posed by nation-state threat actors to global critical infrastructure organisations,” said Yoav Mazor, Head of Incident Response, APJ at Sygnia. “By gaining control over the virtualization management layer, the threat actor was able to extract service account credentials and deploy persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots.”
Fire Ant’s activities are characterized by infrastructure-centric tactics, techniques and procedures (TTPs) enabling activity beneath the detection threshold of traditional endpoint controls, emphasizing critical blind spots of conventional security stacks. The threat actor establishes control over a victim’s VMware ESXi hosts and vCenter servers to move laterally across an organization. Additionally, Fire Ant consistently bypassed network segmentation by compromising network appliances and tunneling across segments, enabling the threat actor to bridge and move deeper within an organization’s infrastructure through legitimate, approved paths.
Cyber Technology Insights : NETSCOUT Delivers Double-Digit Energy Savings for Data Center Observability Solutions
Mazor adds, “Fire Ant’s method of infiltration places heightened pressure on the cybersecurity community and underscores the importance of visibility and detection within the hypervisor and infrastructure layer where traditional endpoint security tools often struggle to identify malicious activity. Organizations will need to adopt proactive cyber resilience with an advanced multi-layered security approach.”
As part of Sygnia’s investigation into Fire Ant, the company found the tooling and techniques closely align with prior espionage campaigns conducted by nation-state threat actor, UNC3886, currently active in Singapore. Fire Ant’s overlap with UNC3886 includes specific binaries and exploitation of vCenter and ESXi vulnerabilities, as well as similar targeting of critical infrastructure across regions.
Cyber Technology Insights : Tenable Launches AI-Enhanced Vulnerability Prioritization for Unmatched Precision
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: businesswire
