Program

/

CODE BLUE 2025

Time Table

[Sygnia]Fire Ant: A Chinese Espionage Group Operating Beneath the Hypervisor

DAY 1

11:20-11:50

Virtualization platforms have long been the backbone of enterprise infrastructure, but they have become the new playground for nation-state espionage groups. What ransomware operators once treated as the “finish line” for maximum disruption has now evolved into a highway for persistence, privilege escalation, and stealthy lateral movement. In this session, Sygnia will present a deep-dive case study of Fire Ant, a China-nexus threat actor we tracked during several incident response engagements. The talk will unfold as a technical thriller - beginning with a strange alert inside a guest VM and leading investigators down to the hypervisor and beyond.

We will detail how Fire Ant:

  • Exploited vCenter and ESXi vulnerabilities to deploy persistent backdoors.
  • Abused PowerCLI to execute commands in guest VMs from the hypervisor layer, bypassing endpoint defenses.
  • Disabled ESXi logging to blind investigators.
  • Deployed hidden rogue VMs invisible to inventory systems.
  • Assigned public IPs to compromised VMs, transforming them into Internet-facing entry points.
  • Used advanced stealth techniques, including rootkits, to maintain resilience even during remediation.

The presentation will not only expose Fire Ant’s tactics, but also showcase the investigation methodologies we used - correlating NetFlow, ARP tables, and PowerCLI sweeps to unmask attacker activity that would otherwise remain invisible.

Attendees will leave with:

  • A technical blueprint of hypervisor-level espionage operations.
  • Practical detection and investigation techniques for unmonitored infrastructure.
  • Strategic lessons on how incident response must evolve when facing adaptive, nation- state adversaries.

This is a rare look into the reality of fighting an APT beneath the hypervisor, told from the front lines of incident response.

Speakers:
Asaf Perlman(アサフ・パールマン) Sygnia Incident Response Team Leader

  • Location :

    • Track 2(HALL A)

  • Category :

    • OpenTalks

  • Share :