Chinese-speaking hackers are reportedly using a compromised SonicWall VPN to exploit VMware ESXi vulnerabilities, possibly leading to ransomware attacks. Cybersecurity firm Huntress intercepted this activity in December 2025, linking it to three serious vulnerabilities disclosed by Broadcom in March 2025, with CVSS scores ranging from 7.1 to 9.3. These vulnerabilities allow attackers to manipulate memory in the Virtual Machine Executable (VMX) process, posing significant risks to virtual environments. The attackers utilized a sophisticated toolkit, with key components like "exploit.exe" (known as MAESTRO) and an unsigned kernel driver called MyDriver.sys. This toolkit can disable VMware drivers, execute shellcode, and establish persistent access via a backdoor named VSOCKpuppet. The exploitation process involves writing multiple payloads into the VMX memory, ultimately allowing the attacker to gain full control of the ESXi hypervisor from within a guest VM. Evidence suggests the toolkit was designed for targeted use, indicated by the presence of operational instructions in a README file. Huntress suspects it may be distributed privately by a well-resourced developer in a Chinese-speaking region, likely to vetted buyers rather than through open markets. The use of VSOCK for backdoor communication complicates detection, as it bypasses traditional network monitoring. The operation illustrates a serious escalation in attack methods against virtualization infrastructure, emphasizing the need for heightened vigilance and security measures in cloud environments.