By therecord.media
Publication Date: 2025-07-24 13:34:00
A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia.
The hackers are targeting VMware ESXi hypervisors, a type of software that controls and hosts virtual machines for enterprise networks. They are using custom tools that grant persistent access while evading detection by standard security measures such as endpoint detection and response (EDR) systems.
Sygnia is tracking the campaign under the name Fire Ant, which shares similarities with UNC3886, based on what its regional head of incident response described as “unique” engagements.
It follows UNC3886’s spying activities being highlighted by Singapore’s national security minister, Kasiviswanathan Shanmugam, who said the group was behind a series of incidents affecting the country’s critical national infrastructure.
“The intent of this threat actor in attacking Singapore is quite clear. It is going after high value strategic threat targets, vital infrastructure that deliver essential services,” Shanmugam said. While Singapore’s government did not explicitly name China, the Chinese embassy responded by rejecting the allegations as “groundless smears and accusations.”
Yoav Mazor, Sygnia’s head of incident response for Asia Pacific and Japan — who is himself based in Singapore — told…
