Skip to content

Hide Navigation Hide TOC

VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)

VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c) Attack Pattern 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c) Attack Pattern 2