Mass exploitation of VMware Horizon

On 2021-12-23 the Fortgale team identified a massive exploitation campaign targeting VMware Horizon deployments. The attack chain consists of Log4Shell (CVE-2021-44228) exploitation followed by deployment of a backdoor inside the corporate Horizon servers — granting persistent Remote Command Execution (T1190 — Exploit Public-Facing Application).

The threat actor executes a PowerShell command (T1059.001) to interact with the victim system, injecting a backdoor directly into the VMware Horizon software stack — specifically into the file absg-worker.js with the embedded key lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb (T1505.003 — Web Shell, JavaScript variant).

Implanting a backdoor inside a legitimate, signed VMware component is the operator’s countermeasure to file-integrity monitoring that whitelists vendor binaries — detection requires behavioural telemetry on outbound process trees and inspection of modified worker scripts, the kind of continuous response posture provided by our Managed Detection and Response.

Mass-exploitation of an internet-facing application followed by web-shell implantation in a trusted vendor file is the textbook foothold pattern — every hour without behavioural detection on these assets compounds exposure.