A new report from Google's Threat Intelligence Group (GTIG) reveals how the cybercriminal group known as Scattered Spider is escalating its campaign against U.S. critical infrastructure—this time by compromising the backbone of enterprise virtualization: VMware vSphere. The threat actors are bypassing traditional endpoint protections by directly attacking the hypervisor layer, utilizing social engineering and identity compromise to hijack administrative access and deploy ransomware from within.
These attacks are especially alarming for industries that depend on high availability, such as airlines, transportation, and retail, where even a short outage can result in millions of dollars in losses. According to GTIG, the attacks are unfolding in mere hours, and their stealthy nature leaves little trace behind.
Scattered Spider, also known as UNC3944, 0ktapus, and Octo Tempest, has built a reputation as one of the most effective social engineering crews operating today. The group first gained prominence through high-profile breaches of organizations such as MGM Resorts and Caesars Entertainment in 2023. While several members were recently arrested in the U.K., the group appears not only to have recovered but to have leveled up.
What makes Scattered Spider particularly dangerous is its ability to operate without relying on malware or software vulnerabilities. Instead, it impersonates users and support staff through vishing and spear phishing, manipulating IT help desks into resetting credentials and multi-factor authentication (MFA) settings. From there, the group pivots into privileged environments, such as Active Directory and VMware vSphere, gaining administrative access and ultimately executing ransomware from the hypervisor layer.
The recent GTIG report details a sophisticated attack chain in which Scattered Spider uses social engineering to compromise accounts with access to VMware infrastructure. Once inside, the attackers escalate their privileges by targeting administrative groups such as "vSphere Admins." They then log in to the vCenter Server Appliance (VCSA), enabling SSH access on ESXi hypervisors and deploying remote access tools, such as Teleport.
With control over the hypervisor, they power off critical virtual machines—including domain controllers—and detach their virtual disks. This allows them to extract Active Directory databases without triggering logs or alerts, since the systems are no longer running. At the same time, they delete backup jobs and prune VM snapshots, ensuring that victims have no easy recovery path.
The final step in the campaign involves deploying ransomware—often BlackCat/ALPHV or RansomHub—directly from the ESXi hosts, encrypting virtual machine datastores and shutting down entire environments in a single coordinated strike.
According to Jason Soroko, Senior Fellow at Sectigo, these attacks expose a fundamental weakness in hybrid cloud environments: human error.
"Scattered Spider has shown that the weakest link in a modern hybrid cloud is still the human who answers the help desk phone," Soroko said. He emphasized that virtualization—which is meant to simplify operations—also centralizes risk. "Once a trusted vSphere account is reset for them, they move laterally with built-in utilities, turning the supposed advantage of virtualization into a liability."
Rom Carmel, CEO of Apono, echoed these concerns, describing Scattered Spider's latest tactics as a "campaign-style cyber sabotage." He noted that the group is no longer focused on quick account takeovers, but rather full infrastructure compromise. "They're bypassing endpoint defenses and striking at the infrastructure layer," he said, adding that "no malware is required for initial access, and the attackers blend in with legitimate admin activity."
Security experts agree that once the group obtains root-level access, backup destruction and data exfiltration become inevitable. Nivedita Murthy of Black Duck noted the increased frequency of spear phishing attacks directed at help desks, and warned that these teams often "hold the keys to the first few doors of the kingdom."
The sectors most frequently targeted by Scattered Spider—transportation, retail, and insurance—share a common trait: their businesses depend on uninterrupted operations. By attacking the virtualization layer, the group can cause maximum disruption, pushing organizations to consider paying ransoms rather than enduring prolonged outages.
The nature of VMware environments also works in the attackers' favor. Many organizations integrate vSphere with Active Directory, creating a single point of failure for both identity and infrastructure. Once AD is compromised, it can be used to escalate access across the entire virtualization stack.
Furthermore, traditional endpoint detection and response (EDR) tools do not function on ESXi hosts, which are often under-monitored and under-hardened. This gives attackers the ability to operate undetected until it's too late.
Google’s threat researchers argue that defending against this kind of attack requires a fundamental shift in how organizations approach security. It’s no longer enough to focus on endpoint protection and malware detection. Instead, companies need to adopt infrastructure-aware strategies that include privileged access management, help desk hardening, and hypervisor isolation.
Key recommendations from GTIG and cybersecurity professionals include:
Implementing phishing-resistant MFA , such as FIDO2 security keys
Eliminating Active Directory integration with vSphere where possible
Enforcing "Just-in-Time" and "Just-Enough-Access" policies to reduce standing administrative privileges
Encrypting and isolating Tier-0 virtual machines and storing backups in immutable, air-gapped environments
Monitoring vCenter and ESXi logs for unusual activity, such as unauthorized SSH access or mass VM shutdowns
As Soroko put it, "Until organizations treat social engineering resistance and privileged identity isolation as availability controls rather than mere compliance tasks, threat groups like Scattered Spider will keep turning ordinary IT conveniences into precision-guided weapons."
Scattered Spider's campaign against VMware infrastructure marks a turning point in how ransomware crews operate. No longer satisfied with desktop-level access, they are targeting the very platforms enterprises use to scale and manage their critical systems. In doing so, they bypass the traditional cybersecurity perimeter and undermine the foundation of digital resilience.
For U.S. critical infrastructure providers, the message is clear: rethink your defenses. The next attack might not come through a phishing link; it might come from the hypervisor you forgot to monitor.
Follow SecureWorld News for more stories related to cybersecurity.