Ransomware gangs are actively exploiting the VMware ESXi flaw CVE-2025-22225, which allows attackers to escape the VMX sandbox. Researchers found evidence of a toolkit used in these attacks, indicating that the vulnerabilities were known to the threat actors long before their public disclosure. CISA has confirmed the flaw's involvement in ongoing ransomware incidents.

Chinese-speaking hackers used a compromised SonicWall VPN to access VMware ESXi systems, exploiting three zero-day vulnerabilities for potential ransomware attacks. Cybersecurity firm Huntress intervened before the attack could escalate, revealing a sophisticated toolkit that enables virtual machine escapes and backdoor access.

Researchers at Huntress report a 700% increase in ransomware attacks targeting hypervisors, particularly by the Akira group. These attacks exploit vulnerabilities in hypervisor security, allowing criminals to bypass traditional defenses and compromise virtual machines. Admins are urged to enhance security measures, including multi-factor authentication and patching.

Scattered Spider hackers have been targeting VMware ESXi hypervisors in U.S. companies across various sectors through sophisticated social engineering techniques, rather than exploiting software vulnerabilities. Their attack methodology enables them to gain significant control over virtualized environments, leading to data exfiltration and ransomware deployment. Google Threat Intelligence Group has outlined protective measures organizations can take to defend against these attacks.

Ransomware groups are exploiting the legitimate Kickidler employee monitoring software for reconnaissance and credential theft after breaching networks. The software enables attackers to capture keystrokes and identify off-site cloud backups, facilitating further malicious activities such as encrypting VMware ESXi infrastructure. Cybersecurity experts recommend tightening controls on remote monitoring and management tools to prevent these types of attacks.