China-linked cybercrims abused VMware ESXi zero-days a year before disclosure

Researchers at Huntress analyzed a December 2025 intrusion attributed to China-linked actors who used a VMware ESXi VM-escape toolkit—whose development dates back to early 2024—to chain multiple vulnerabilities (CVE-2025-22224/22225/22226) and move from a compromised SonicWall VPN and Domain Admin account to execute code on ESXi hypervisors across more than 150 builds, disabling drivers and loading unsigned kernel modules to remain stealthy.