Sygnia, a global leader in cyber readiness and incident response, has revealed a sophisticated espionage campaign by a China-nexus threat actor, dubbed Fire Ant, targeting critical infrastructure. Uncovered on July 24, 2025, Fire Ant exploits VMware ESXi and vCenter environments, using advanced tactics to infiltrate isolated networks and maintain persistent access.
Sygnia identifies Fire Ant, a China-nexus threat actor, targeting critical infrastructure.
Focuses on VMware ESXi and vCenter for espionage and long-term persistence.
Uses multi-layer attack chains to bypass traditional security measures.
Exploits network appliances to tunnel across segmented networks.
Deploys redundant backdoors to evade detection and eradication efforts.
Highlights need for enhanced visibility in hypervisor and infrastructure layers.
Since early 2025, Sygnia has tracked Fire Ant’s persistent attacks on VMware ESXi and vCenter environments, critical components of virtualized infrastructure. “Fire Ant shows incredible advanced capabilities to infiltrate and conduct espionage campaigns, avoiding detection and multi-layered traditional security measures by targeting infrastructure blind spots,” said Yoav Mazor, Head of Incident Response, APJ at Sygnia. The threat actor’s ability to adapt and deploy redundant persistence mechanisms underscores its resilience.
Fire Ant focuses on virtualization management layers, extracting service account credentials and deploying persistent backdoors on ESXi hosts and vCenter servers. This allows the threat actor to maintain access across system reboots, exploiting vulnerabilities like CVE-2023-34048 and CVE-2023-20867, previously linked to the China-nexus group UNC3886. These tactics enable Fire Ant to operate beneath traditional endpoint security detection thresholds.
Fire Ant’s infrastructure-centric tactics include compromising network appliances to tunnel across segmented networks, bridging isolated environments through legitimate pathways. This approach, combined with multi-layer attack kill chains, allows Fire Ant to move laterally across organizations, targeting critical infrastructure in sectors like defense, technology, and telecommunications. The campaign’s stealth highlights vulnerabilities in conventional security stacks.
“Fire Ant’s method of infiltration places heightened pressure on the cybersecurity community and underscores the importance of visibility and detection within the hypervisor and infrastructure layer where traditional endpoint security tools often struggle to identify malicious activity,” said Mazor. Sygnia recommends adopting proactive, multi-layered security approaches, including regular patching, lockdown modes, and enhanced monitoring of virtualization environments.
Sygnia’s investigation into Fire Ant reveals the growing sophistication of nation-state cyber threats. By targeting critical infrastructure with advanced persistence mechanisms, Fire Ant underscores the urgent need for organizations to strengthen visibility and resilience in virtualized environments to counter espionage campaigns effectively.
Sygnia is the world’s foremost cyber response and readiness expert. It applies creative approaches and bold solutions to each phase of an organization’s security journey, meeting them where they are to ensure cyber resilience. Sygnia is the trusted advisor and service provider of leading organizations worldwide, including Fortune 100 companies. Sygnia is a Temasek company, part of the ISTARI Collective.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.