Skip to content

Hide Navigation Hide TOC

VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)

VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c) Attack Pattern 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2