Google Warns of Rising Cyber Threats Targeting Hypervisors
Google Cloud Security has issued a warning that hypervisors, the core virtualization layer in modern IT environments, are becoming a significant cybersecurity vulnerability. The company highlights that while organizations have focused on securing endpoints, hypervisors have often been left unmonitored, running outdated software and configured with insecure defaults. This oversight, combined with deep integrations into legacy identity services, makes hypervisors a high-leverage target where a single compromise could grant attackers control over an entire digital infrastructure.
Google's forecast for 2026 anticipates a surge in fast-moving cyberattacks aimed at hypervisors, primarily driven by financially motivated threat actors. The report urges enterprises to shift their security strategies to address these emerging risks, emphasizing that the virtualization fabric is evolving from a defensive asset into a critical blind spot susceptible to systemic disruption. Organizations are advised to prioritize monitoring and securing hypervisors to prevent large-scale breaches and maintain control over their digital estates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Story first reported
Initial story creation
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Rising Threats to Hypervisors Amid AI and Cloud Expansion
Security experts from Google Cloud have warned that hypervisors and virtualized infrastructure are becoming increasingly attractive targets for cyber attackers. This trend is driven by the widespread adoption of cloud services, containers, and artificial intelligence systems, which expand the attack surface and introduce new vulnerabilities. Hypervisors, often lacking robust external security controls and sometimes running outdated software, are particularly at risk due to their deep integration with identity platforms like Active Directory. The adoption of AI agents, many of which operate with elevated privileges, further exacerbates the risk by increasing the potential impact of a compromise at the hypervisor level. A successful attack on a hypervisor can have cascading effects across an organization, making it a high-value target for threat actors. Google Cloud's 2026 security forecast anticipates a significant increase in targeting of hypervisors, underscoring the need for organizations to strengthen security measures around their virtualized environments.
Mar 21, 2026
Surge in Ransomware Attacks Targeting Hypervisors, Led by Akira Group
Security researchers have reported a dramatic increase in ransomware attacks targeting hypervisors, with Huntress data showing that the proportion of ransomware incidents involving hypervisors jumped from 3% in the first half of 2025 to 25% in the second half. The Akira ransomware group has been identified as the primary actor behind this trend, exploiting the limited visibility and security controls typically present on hypervisors to bypass traditional endpoint and network defenses. Attackers are leveraging built-in tools such as OpenSSL to encrypt virtual machine volumes directly from the hypervisor, allowing them to impact dozens or hundreds of VMs simultaneously and avoid detection by endpoint security solutions. This shift in tactics underscores the critical need for organizations to harden their hypervisor infrastructure with the same rigor as endpoints and servers. Security experts recommend measures such as patching, strict access control, runtime hardening, and robust backup and recovery strategies to mitigate the risk. The trend highlights that as defenders improve endpoint security, adversaries are increasingly targeting the foundational layers of virtualized environments, making hypervisor security a top priority for organizations relying on virtualization technologies like ESXi.
Mar 21, 2026
BRICKSTORM Threat Highlights vCenter Server as a Tier-0 Target
Google Cloud's Mandiant warned that VMware vCenter Server Appliance (**VCSA**) should be treated as a **Tier-0** asset because compromise can hand attackers administrative control over managed **ESXi** hosts and virtual machines, expose virtual disk data, and enable stealthy activity through **Photon OS** shell access that often lacks remote command logging. The guidance ties these risks to **BRICKSTORM** malware activity and emphasizes that vCenter commonly underpins highly sensitive workloads, including domain controllers and privileged access management systems. The report says operational dependencies can magnify the impact of a vCenter intrusion because many organizations run **Active Directory** domain controllers inside the same vSphere environment, complicating authentication and recovery if vCenter, networking, or datastores are disrupted. Mandiant urged defenders to harden and patch vSphere environments, strengthen identity controls and network segmentation, and improve logging and forensic visibility, while noting that **vSphere 7** reached end of life in October 2025 and no longer receives security fixes unless organizations upgrade.
Apr 9, 2026