HIGHApt
Verified
United States / Allied Nations

UNC3886 Linked to VMware vCenter Exploitation Campaign Targeting Defense Sector

·Source: Mandiant / Microsoft

Updated:

Executive Summary

UNC3886 exploits known VMware vCenter vulnerabilities to deploy VirtualPita and VirtualPie backdoors across defense contractor virtualization infrastructure.

Analysis

UNC3886 has been observed exploiting patched VMware vCenter Server vulnerabilities at organizations that failed to update. The group deploys VirtualPita and VirtualPie malware on ESXi hypervisors, operating below the OS layer where EDR cannot detect them. Current campaign targets US and allied defense industrial base companies managing classified workloads.

Timeline

Discovered
Feb 20, 2026
Exploitation Detected
Feb 20, 2026
Published
Mar 15, 2026

Indicators of Compromise (2)

CVE (2)
CVE-2025-22224
CVE-2025-22225
Source Attribution

Originally published by Mandiant / Microsoft on Mar 15, 2026. Verified by: Mandiant, Microsoft, CISA.

Related Threats

MEDIUMApt

AdaptHealth says attackers sweet-talked their way into cloud systems and stole patient data

Connor Jones reports: AdaptHealth says attackers used social engineering to breach its systems and steal sensitive patient data, including passwords associated with insurance billing. The medical equipment company disclosed the attack to the Securities and Exchange Commission (SEC) on Thursday, noting that attackers accessed internal patient management systems, document storage platforms, and exte

DataBreaches.net
MEDIUMApt

FBI Disrupts Widely Used NetNut Residential Proxy Service

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/fbi-disrupts-widely-used-netnut-residential-proxy-service-image_small-6-a-32154.jpg" align=right hspace=4><b>2 Million Home Devices, Including Routers and Smart TVs, Tied to NetNut Botnet</b><br>The FBI and private-sector partners have disrupted NetNut, one of the world's biggest and most popular residential proxy networks. Google

Bank Info Security
MEDIUMApt

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. "Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations," Kaspersky said in a technical analysis published today. "

The Hacker News