VMware

Hackers are exploiting the legitimate employee monitoring tool Kickidler to obtain login credentials and deploy ransomware encryptors. The attack begins with a poisoned ad on the Google Ads network, leading to a trojanized version of RVTools. This version deploys a backdoor called SMOKEDHAM, which is then used to install Kickidler. The tool is specifically used to target enterprise administrators and their login credentials. The goal is to infiltrate the network and deploy the encryptor. The payloads targeted VMware ESXi infrastructure, encrypting VMDK virtual hard drives. The groups Qilin and Hunters International are focused on cloud backups but have faced challenges due to defenders decoupling backup system authentication from Windows domains.

Source: https://www.techradar.com/pro/security/popular-employee-monitoring-software-hijacked-to-launch-ransomware-attacks

TPRM report: https://scoringcyber.rankiteo.com/company/vmware

"id": "vmw222051225",
"linkid": "vmware",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization's existence: Attack in which the personal and financial information is compromised, Attack which stop a factory, Attack which take over on all data from a company, Attack which take specific data like patents, Attack in which company is requested to pay a ransom or ransomware involved"

{'affected_entities': [{'type': 'Enterprises'}],
 'attack_vector': ['Poisoned ad on Google Ads network',
                   'Trojanized RVTools',
                   'SMOKEDHAM backdoor'],
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Login credentials'},
 'description': 'Hackers are exploiting the legitimate employee monitoring '
                'tool Kickidler to obtain login credentials and deploy '
                'ransomware encryptors. The attack begins with a poisoned ad '
                'on the Google Ads network, leading to a trojanized version of '
                'RVTools. This version deploys a backdoor called SMOKEDHAM, '
                'which is then used to install Kickidler. The tool is '
                'specifically used to target enterprise administrators and '
                'their login credentials. The goal is to infiltrate the '
                'network and deploy the encryptor. The payloads targeted '
                'VMware ESXi infrastructure, encrypting VMDK virtual hard '
                'drives. The groups Qilin and Hunters International are '
                'focused on cloud backups but have faced challenges due to '
                'defenders decoupling backup system authentication from '
                'Windows domains.',
 'impact': {'data_compromised': 'Login credentials of enterprise '
                                'administrators',
            'systems_affected': 'VMware ESXi infrastructure'},
 'initial_access_broker': {'backdoors_established': 'SMOKEDHAM',
                           'entry_point': 'Poisoned ad on Google Ads network',
                           'high_value_targets': 'Enterprise administrators'},
 'motivation': 'Obtain login credentials and deploy ransomware encryptors',
 'post_incident_analysis': {'root_causes': 'Exploitation of Kickidler tool'},
 'ransomware': {'data_encryption': 'VMDK virtual hard drives'},
 'threat_actor': ['Qilin', 'Hunters International'],
 'title': 'Exploitation of Kickidler for Ransomware Deployment',
 'type': 'Ransomware',
 'vulnerability_exploited': 'Kickidler employee monitoring tool'}

VMware

Episource

Unnamed Financial Institution

EUMETSAT