VSOCKpuppet

VSOCKpuppet is a Linux/ESXi 64-bit ELF backdoor deployed on compromised VMware ESXi hosts as part of a VM-escape exploit toolkit analyzed by Huntress. It is described as an ESXi-resident payload used after a guest-to-host escape chain likely involving CVE-2025-22226, CVE-2025-22224, and CVE-2025-22225. The broader toolkit includes the Windows orchestrator MAESTRO (exploit.exe), the unsigned kernel driver MyDriver.sys, and a Windows VSOCK client component referred to as client.exe or the GetShell Plugin.

According to the content, VSOCKpuppet provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets), specifically listening on VSOCK port 10000 with VMADDR_CID_ANY. Its functionality includes arbitrary shell command execution via /bin/sh and file transfer operations, including reading and writing files (described as GET and POST support). The malware is characterized as stealthy because its guest-host communications over VSOCK can bypass or evade traditional network monitoring and IDS visibility.

The reported deployment flow writes VSOCKpuppet into VMX memory along with stage-1 and stage-2 shellcode. Stage-2 shellcode then writes the backdoor to /var/run/a, temporarily modifies /var/run/inetd.conf so inetd will execute /var/run/a as root via port 21, sends SIGHUP to inetd to reload the configuration, triggers the backdoor locally, and restores inetd.conf afterward to reduce detection. The content also states the attackers restored drivers and cleaned up configuration changes as part of a stealth-focused approach.

The malware was observed in intrusions investigated in December 2025 in which attackers likely gained initial access through a compromised SonicWall VPN appliance, used compromised Domain Admin credentials for lateral movement, and then deployed the ESXi exploit toolkit from Windows systems. Huntress assessed the operators as Chinese-speaking based on simplified Chinese development artifacts in related tooling, though the content does not attribute VSOCKpuppet itself to a specific named threat actor. The activity targeted VMware ESXi hypervisors and was associated with data staging for exfiltration and possible ransomware preparation.

High-confidence indicators directly mentioned in the content include the filename/name VSOCKpuppet, its classification as a Linux-based/ELF payload on ESXi, VSOCK port 10000, the dropped path /var/run/a, and the SHA-256 hash c3f8da7599468c11782c2332497b9e5013d98a1030034243dfed0cf072469c89.