Chinese-Speaking Threat Actors Exploit VMware ESXi via Compromised SonicWall VPN

Chinese-Speaking Threat Actors Exploit VMware ESXi via Compromised SonicWall VPN

First seen 8 Jan 2026, 23:52 UTC HuntressBleepingcomputer 80% similarity 24.3

Article Content

Browse articles
ThreatCluster

In December 2025, Chinese-speaking threat actors exploited vulnerabilities in VMware ESXi using a toolkit delivered through a compromised SonicWall VPN appliance. The toolkit included exploits for three zero-day vulnerabilities disclosed in March 2025, with evidence suggesting initial access was gained through the VPN. The toolkit's development paths contained simplified Chinese strings, indicating the actors' linguistic background.

ThreatCluster AI

Community

Browse all →