Nation-State | Hypervisor Persistence Campaign

Welcome reader, here’s today’s Daily Cyber Insight.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Access all deep dives, weekly cyber intel reports, premium research, the AI Resume Builder, and more — $299/year. Corporate plans available.

Executive Snapshot Your VMware vCenter server is not a management tool. It is a skeleton key to every workload, credential, and identity in your environment.

Signal Chinese state actors maintained access to victim vCenter environments for over 17 months, cloning VM snapshots to extract credentials and creating hidden rogue VMs invisible to standard monitoring.

Strategic Implication You hardened your endpoints and segmented your network, but the virtualization layer sits above all of it with root access to everything.

Action Audit all vCenter and ESXi administrative accounts against your identity baseline today. Block unauthorized DNS-over-HTTPS traffic and external DoH providers at the network edge now. Hunt for anomalous VM creation, snapshot access, and unexpected VSOCK communications across all hypervisor hosts this week.