Fraud Management & Cybercrime
,
Social Engineering
Hacking Tactics Linked to Retail, Airline Compromises

The loosely connected band of adolescent cybercriminals tracked as Scattered Spider has joined the VMware hypervisor hacking bandwagon, pivoting into virtual servers through corporate instances of Active Directory.
See Also: Live Webinar | AI-Powered Defense Against AI-Driven Threats
A rash of data theft and ransomware attacks on the retail, airline and insurance sectors by the group are rooted in a “living off the land approach” that differs from traditional Windows ransomware attacks in their speed and stealth, warns Google-owned threat intel firm Mandiant said in a Wednesday blog post (see: Scattered Spider Suspected in Qantas Data Breach).
“Critical workloads can be powered off, ransomware can be deployed across the entire virtual environment and virtual machines containing sensitive data such as databases, domain controllers, or proprietary code can be cloned and exfiltrated,” said Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, in an email to Information Security Media Group.
The group of native-English speaking cybercriminals is proficient at manipulating help desks into giving up high-value passwords. Mandiant said Scattered Spider actors are using social engineering techniques to gain access to Active Directory environments, where they look for tight integrations of VMWare vSphere – an integration corporate environments favor for its convenience.
Hackers have long targeted vSphere, knowing that its ESXi hypervisors support mission-critical services but are often only half-defended. Newly-developed ransomware specifically targeting ESXi systems grew from roughly 2% in 2020 to more than 10% in 2024, Mandiant said. Threat actors mostly frequently deployed Redbike, Ransomhub and Lockbit.Black variants, according to its data.
Hacker motives for targeting vSphere come down to the immense disruption an ESXi hack can cause along with systemic security weaknesses underlying the technology. Mandiant said it has observed “a distinct trend” of corporations repatriating critical workloads from public clouds to on-premise vSphere environments stemming partially form demands for more operational oversight.
But upgrading hypervisors can be difficult and expensive, allowing hackers to exploit known but unpatched vulnerabilities. VMWare’s proprietary hypervisor prevents integration with endpoint detection and response. The company’s vCenter Server software platform doesn’t necessarily integrate well into security information and event management platforms. As security firm Sophos wrote in 2024, the bar for a successful attack against an ESXi host is far lower than the actual virtual machine itself. “Why deal with EDR, and potentially even MDR (managed detection and response), by attacking the VMs themselves, when you can just duck all those protections and target the underlying, insecurely configured host?”
Integration with Active Directory adds a yet another layer of insecurity, Mandiant said, due to ESXI’s lack of multifactor authentication support for Active Directory users. “Domain joining exposes critical hypervisor access to single-factor password-based authentication,” it warned.
Scattered Spider’s insight has been that social engineering its way into Active Directory gives it an “avenue to exfiltrate data and deploy ransomware directly from the hypervisor,” Mandiant said. And unlike traditional ransomware deployments, Scattered Spider is moving from penetrating Active Directory to deploying crypto-locking malware within hours.
Mandiant separately advised enterprises not to join ESXi hosts directly to Active Directory. “Manage all host access exclusively through vCenter roles and permissions. This drastically reduces the attack surface,” it said.
After gaining initial access, Scattered Spider hackers look for Active Directory security groups such as “vSphere Admins” or “ESX Admins” that have administrative rights. Finding such a group can lead to a second social engineering attack in which the attacker impersonates a privileged user asking for a password reset. Armed with a password, a lack of multifactor authentication particularly helps hackers to obtain and maintain root access to the virtual environment.
“Scattered Spider’s shift to targeting VMware vSphere represents a broader trend,” said Dave Spencer, director of technical product management at Immersive. “This is why it’s critical that virtualization software is not domain-joined, and why administrators should not access these systems from their day-to-day accounts. Instead, they should be using privileged access workstations.”
Mandiant recommended a slew of security upgrades to prevent Scattered Spider attacks in including implementing phishing-resisttant MFA for vCenter and enabling remote logging for ESXi and vCenter. Ultimately, companies will have to make a choice, Mandiant said.
“The evolution of the threat landscape, particularly the direct targeting of the hypervisor layer which bypasses traditional endpoint defenses, necessitates a fundamental shift in how vSphere security is approached.”