Skip to content

Hide Navigation Hide TOC

VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)

VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c) Attack Pattern 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware 1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297) Malware vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern 1
Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern 2