Sygnia Uncovers Ongoing Espionage Campaign Targeting Virtual Infrastructure
The Israeli cybersecurity firm links advanced infrastructure-focused espionage campaign to China-affiliated threat group targeting virtual environments
Illustration: Anete Lusina via pexels.com
Israeli cybersecurity firm Sygnia has released findings from its investigation into a prolonged cyber espionage campaign linked to a China-affiliated threat actor. The campaign, which the company has designated “Fire Ant,” focuses on targeting critical infrastructure through advanced infiltration techniques aimed at virtualized and segmented network environments.
According to Sygnia, Fire Ant has been active since early 2025, with incidents primarily involving VMware ESXi and vCenter systems, as well as various network appliances. The threat actor reportedly uses multi-layered attack chains to access environments traditionally considered isolated, establishing long-term persistence within compromised systems.
The group’s tactics involve targeting blind spots in traditional security monitoring, including the hypervisor layer and network segmentation devices. Sygnia’s incident response teams observed that Fire Ant frequently adapts to removal attempts, replaces toolsets, and deploys redundant backdoors to maintain access—even across system reboots. The group also manipulates network configurations to re-enter affected environments, despite containment efforts.
Yoav Mazor, Head of Incident Response for Asia-Pacific and Japan at Sygnia, stated that the threat actor's focus on virtualization infrastructure allows them to extract service account credentials and persist within host and management servers. This approach enables lateral movement across victim networks while evading conventional detection tools.
The campaign highlights the challenges in securing virtual infrastructure, as Fire Ant’s activity often remains undetected by endpoint-centric security measures. The group is reported to tunnel across network segments and exploit trusted pathways to deepen its access within an organization’s internal architecture.
As part of its investigation, Sygnia identified overlaps between Fire Ant and previously documented campaigns linked to the group known as UNC3886. These include the use of similar binaries, exploitation of vCenter and ESXi vulnerabilities, and consistent targeting of critical infrastructure. UNC3886 has been associated with cyber operations in regions including Singapore.
Sygnia recommends organizations increase visibility into their virtualization and network layers and adopt a multi-layered approach to detection and response, particularly in infrastructure where traditional security tools may have limited reach.
For a deep dive account of the incident, please see Sygnia’s report.