Scattered Spider group targets VMware vSphere environments

The cyber threat group known as Scattered Spider has made headlines again in 2025 after intensifying its campaigns against corporate environments that use VMware vSphere, a widely adopted server virtualization technology.

Also identified by various cybersecurity firms as UNC3944 or Muddled Libra, the group has shown a notable evolution in its tactics. Its most recent activity specifically targets compromising VMware ESXi hypervisors, a critical component in many enterprise infrastructures, with the goal of launching ransomware attacks through virtual machines hosted on these systems.

Unlike in previous campaigns, Scattered Spider avoids encrypting physical systems and focuses instead on virtual environments, allowing for a greater operational impact through its malicious actions. To gain initial access, the group uses a combination of advanced social engineering, spear phishing, and, in many cases, employee impersonation to obtain legitimate credentials. Once inside, they leverage remote administration tools and custom scripts to move laterally across the network and compromise virtualized systems.

According to recent analyses, this campaign poses a significant threat to organizations that rely on virtual environments, as compromising the hypervisors can simultaneously affect multiple systems and services. Moreover, the use of legitimate credentials and standard tools makes detection more challenging for traditional defense mechanisms.