China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

China-linked cyberespionage group Fire Ant has been exploiting VMware and F5 vulnerabilities since early 2025 to breach secure systems, according to Sygnia. The threat actors exploit the critical CVE-2023-34048 vCenter Server vulnerability for unauthenticated remote code execution, then move laterally to ESXi hosts using stolen credentials and deploy persistent backdoors. Fire Ant also compromises F5 load balancers through CVE-2022-1388, deploying webshells for network tunneling, while using the Medusa rootkit for persistent access and credential harvesting. The group demonstrates exceptional persistence and adaptability, operating through eradication efforts and adapting tactics in real-time, with technical overlaps suggesting alignment with the previously identified UNC3886 threat group.​​​​​​​​​​​​​​​​