Scattered Spider Hackers Take Aim at VMware ESXi: Social Engineering Fuels Full-Scale Virtual Takeovers

A highly aggressive hacking group, dubbed Scattered Spider, has shifted its crosshairs toward the backbone of U.S. enterprise IT infrastructure—virtualized environments. Security experts are warning that the group is now routinely targeting VMware ESXi hypervisors, the very core of modern data centers, with a campaign that relies not on zero-day exploits but phone calls and well-rehearsed lies.

Instead of cracking code, they’re cracking people—and it’s working.

Phone Calls, Not Malware

The Scattered Spider crew isn’t trying to hack software. They’re hacking humans. According to Google’s Threat Intelligence Group (GTIG), the hackers’ attacks start with a simple, familiar act: a call to the help desk.

One of the group’s operatives pretends to be an employee—sometimes even using their real name and internal lingo—to trick IT support into resetting the target’s Active Directory password. This initial step opens the door.

From there, the threat actor moves quickly, scouring the network for IT documentation. They’re not just poking around randomly. They’re hunting for gold—admin credentials, privileged access management tools, security group hierarchies. Anything that gives them more control.

Then comes phase two: a second phone call, this time pretending to be an IT administrator. With the name of a real privileged user in hand, they ask for another password reset. Just like that, they own a privileged account.

Why VMware vSphere Is in Their Crosshairs

Once inside, Scattered Spider sets its sights on the VMware vCenter Server Appliance (vCSA). This is a critical system that allows companies to manage all the virtual machines (VMs) in their environment. Controlling vCSA is like seizing the command deck of a spaceship—suddenly, nothing is off-limits.

Access to vCSA lets the hackers enable SSH on ESXi hosts and reset root passwords, which are keys to the kingdom. From there, it’s game over for most companies.

They power off domain controller VMs, swap virtual disks, and copy the NTDS.dit file—a database that holds all Active Directory credentials. After that, they neatly put the disk back and power everything on like nothing happened.

They’re Not Just Encrypting — They’re Erasing

Once they’ve taken the data they want, Scattered Spider delivers a knockout punch. They target backup servers. Not only do they encrypt files using ransomware binaries, but they also wipe out backup jobs, snapshots, and recovery repositories.

Here’s what makes this attack devastating: they do all of it from the hypervisor layer. That means they bypass endpoint security tools completely.

You read that right—security software inside the VMs is blind to what’s happening because the attackers are working underneath it.

• They disable security agents

• Reset passwords and access controls

• Deploy ransomware across entire VM clusters via SSH

It’s swift, it’s silent, and it’s spreading.

The Five-Stage Attack Chain Explained

GTIG has broken the Scattered Spider method into five major stages. Each one builds on the last, and the entire sequence can take just a few hours from start to finish.

1. Initial Access via Social Engineering: Impersonate an employee, call help desk

2. Privilege Escalation: Gather IT documentation, impersonate admin for more access

3. Hypervisor Takeover: Access vCSA, enable SSH, reset root passwords

4. Data Theft: Execute disk-swap attack, extract Active Directory data

5. Destruction and Ransomware Deployment: Wipe backups, encrypt VM files

They don’t need exploits. They need trust—and they know how to get it.

Why Organizations Are Failing to Stop Them

One of the reasons this attack model works so well is because companies often don’t fully understand how VMware environments work. The infrastructure is complex, and security controls tend to focus more on endpoints than the virtual layer beneath them.

And that’s a huge blind spot.

Take this stat: According to VMware’s own data, over 70% of enterprise workloads now run on virtual infrastructure. That means the impact of an attack like this is massive.

Still, many teams treat the hypervisor like it’s out of reach for attackers. Scattered Spider just proved otherwise.

Google’s Advice: Three Things That Might Actually Help

In response, Google released a rare technical advisory that breaks down the attack and outlines some actually useful countermeasures.

They recommend:

• Locking down vSphere: Use execInstalledOnly, encrypt your VMs, disable SSH, and enforce strict MFA

• Separating Tier 0 assets: Don’t put domain controllers and backups on the same infra they’re supposed to secure

• Monitoring for drift: Alert on changes like SSH enablement, new admin logins, or VM snapshots disappearing

Here’s the gist: Treat your hypervisor like a production environment, not a backstage area.

Law Enforcement Efforts Haven’t Slowed the Group

Authorities have tried to put the brakes on Scattered Spider. The UK’s National Crime Agency arrested four alleged members recently. But GTIG and other researchers say the group remains active.

They’re decentralized, fast-moving, and apparently well-funded. And they’re targeting major sectors—retail, airlines, transportation, insurance—with increasing confidence.

No one’s safe.

And even though they go by other names like Octo Tempest, UNC3944, or 0ktapus, their playbook remains unchanged: manipulate humans, steal access, crush infrastructure, and cash out.