Chinese-speaking hackers exploited ESXi zero-days long before disclosure

Chinese-speaking attackers leveraged a compromised SonicWall VPN to deploy a sophisticated ESXi exploit toolkit (MAESTRO) that chains an information leak, VMCI/HGFS memory corruption, and an unsigned kernel driver to escape VM isolation, then installed a stealthy VSOCK-based backdoor (VSOCKpuppet); Huntress analysis and embedded PDB paths indicate the exploit was developed and likely used as a zero-day as early as February 2024, and VMware later patched the related CVEs in VMSA-2025-0004.