The Fire Ant espionage campaign targeting VMware hypervisor environments, using ESXi hosts, vCenter and network appliances to bypass segmentation and maintain persistent access even after remediation attempts.
Sygnia uncovered Fire Ant through deployment of its Velicity tool, which enables deep visibility at the hypervisor layer, a blind spot for traditional endpoint and network defences. Velocity’s telemetry captures anomalies beneath the OS level, such as credential extraction from vCenter or command-and-control traffic masked as legitimate infrastructure communication. Sygnia’s MDR team conducted hypothesis‑driven threat hunting, mapping anomalies to known TTPs aligned with UNC3886 and existing Sygnia threat‑actor profiles. Velocity’s machine‑learning analytics and detection rules helped flag suspicious lateral movement and persistence mechanisms, which were further investigated and validated by analysts.
Sygnia’s ability to detect threats such as Fire Ant stems from a number of important factors which make Sygnia one of the leading global Incident Response companies, as recognised by Gartner last month for the 4th consecutive year:
- Sygnia’s IR teams feed real-world insights from their Incident Response engagements back into Velocity, tuning detection rules and AI models to recognise future variants.
- Velocity’s integration and scale enable correlation of disparate signals, making it ideal to detect multi-stage, infrastructure‑centric attacks. The hypervisor‑level visibility is critical for detecting stealthy attackers operating beneath conventional security tools.
- Sygnia’s expert analysts with nation‑state and cyber warfare experience use the data from Velocity to apply hypothesis-based investigations, which bridge detection and response
Full report: https://www.sygnia.co/blog/fire-ant-a-deep-dive-into-hypervisor-level-espionage/
Connect with our office and speak with Sygnia to learn more: sydney@israeltrade.gov.il
israeltrade.org.au 