Skip to content

Hide Navigation Hide TOC

VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)

VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c) Attack Pattern 1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 1
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern 2