Global leader in Incident Response divulges findings into persistent, long-term espionage campaigns targeting VMware ESXi and vCenter environments

Sygnia, the foremost global cyber readiness and response team, today reveals the findings of their investigation into a prolonged espionage campaign by a China-nexus threat actor, targeting critical infrastructure. Named ‘Fire Ant’ by Sygnia, the adversary is actively leveraging advanced methods to gain access to virtualization and networking environments by creating multi-layer attack kill chains to infiltrate restricted and segmented network assets that were considered to be within isolated environments.

Since early 2025, Sygnia has tracked and responded to Fire Ant incidents, primarily targeting VMware ESXi and vCenter environments, as well as network appliances, to establish a foothold for initial access and long-term advanced persistence. Notably, Fire Ant displays high levels of resilience, actively and stealthily adapting to eradication and containment efforts, replacing toolsets, deploying redundant persistence backdoors and manipulating network configurations to re-establish access to compromised devices.

“Fire Ant shows incredible advanced capabilities to infiltrate and conduct espionage campaigns, avoiding detection and multi-layered traditional security measures by targeting infrastructure blind spots. This highlights the level of resilience and danger posed by nation-state threat actors to global critical infrastructure organisations,” said Yoav Mazor, Head of Incident Response, APJ at Sygnia. “By gaining control over the virtualization management layer, the threat actor was able to extract service account credentials and deploy persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots.”

Fire Ant’s activities are characterized by infrastructure-centric tactics, techniques and procedures (TTPs) enabling activity beneath the detection threshold of traditional endpoint controls, emphasizing critical blind spots of conventional security stacks. The threat actor establishes control over a victim’s VMware ESXi hosts and vCenter servers to move laterally across an organization. Additionally, Fire Ant consistently bypassed network segmentation by compromising network appliances and tunneling across segments, enabling the threat actor to bridge and move deeper within an organization’s infrastructure through legitimate, approved paths.

Mazor adds, “Fire Ant’s method of infiltration places heightened pressure on the cybersecurity community and underscores the importance of visibility and detection within the hypervisor and infrastructure layer where traditional endpoint security tools often struggle to identify malicious activity. Organizations will need to adopt proactive cyber resilience with an advanced multi-layered security approach.”

As part of Sygnia’s investigation into Fire Ant, the company found the tooling and techniques closely align with prior espionage campaigns conducted by nation-state threat actor, UNC3886, currently active in Singapore. Fire Ant’s overlap with UNC3886 includes specific binaries and exploitation of vCenter and ESXi vulnerabilities, as well as similar targeting of critical infrastructure across regions.

For a deep dive account of the incident, please see Sygnia’s report.

About Sygnia

Sygnia is the world’s foremost cyber response and readiness expert. It applies creative approaches and bold solutions to each phase of an organization’s security journey, meeting them where they are to ensure cyber resilience. Sygnia is the trusted advisor and service provider of leading organizations worldwide, including Fortune 100 companies. Sygnia is a Temasek company, part of the ISTARI Collective.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250724349752/en/