{"id":4272,"date":"2021-12-24T16:22:38","date_gmt":"2021-12-24T16:22:38","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4272"},"modified":"2026-06-08T14:54:11","modified_gmt":"2026-06-08T14:54:11","slug":"mass-exploitation-vmware-horizon","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/mass-exploitation-vmware-horizon\/","title":{"rendered":"Mass exploitation of VMware Horizon"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">On <strong>2021-12-23<\/strong> the Fortgale team identified a massive exploitation campaign targeting <strong>VMware Horizon<\/strong> deployments. The attack chain consists of <strong>Log4Shell<\/strong> (<code>CVE-2021-44228<\/code>) exploitation followed by deployment of a <strong>backdoor<\/strong> inside the corporate Horizon servers \u2014 granting persistent <strong>Remote Command Execution<\/strong> (<code>T1190<\/code> \u2014 Exploit Public-Facing Application).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The threat actor executes a <strong>PowerShell<\/strong> command (<code>T1059.001<\/code>) to interact with the victim system, injecting a <strong>backdoor<\/strong> directly into the VMware Horizon software stack \u2014 specifically into the file <code>absg-worker.js<\/code> with the embedded key <code>lxmvvZ3S4o250Tw22Z9vTao0cJFmkplDoi828cVwQtZVj3eUbb<\/code> (<code>T1505.003<\/code> \u2014 Web Shell, JavaScript variant).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Implanting a backdoor inside a legitimate, signed VMware component is the operator&#8217;s countermeasure to file-integrity monitoring that whitelists vendor binaries \u2014 detection requires behavioural telemetry on outbound process trees and inspection of modified worker scripts, the kind of continuous response posture provided by our <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Mass-exploitation of an internet-facing application followed by web-shell implantation in a trusted vendor file is the textbook foothold pattern \u2014 every hour without behavioural detection on these assets compounds exposure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On 2021-12-23 the Fortgale team identified a massive exploitation campaign targeting VMware Horizon deployments. The attack chain consists of Log4Shell (CVE-2021-44228) exploitation followed by deployment of a backdoor inside the corporate Horizon servers \u2014 granting persistent Remote Command Execution (T1190 \u2014 Exploit Public-Facing Application). The threat actor executes a PowerShell command (T1059.001) to interact with &#8230; <a title=\"Mass exploitation of VMware Horizon\" class=\"read-more\" href=\"https:\/\/fortgale.com\/blog\/emerging-threats\/mass-exploitation-vmware-horizon\/\" aria-label=\"Read more about Mass exploitation of VMware Horizon\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":3913,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1539,1541,1543],"class_list":["post-4272","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-absg-worker-it","tag-horizon-it","tag-lxmvvz3s4o250tw22z9vtao0cjfmkpldoi828cvwqtzvj3eubb-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=4272"}],"version-history":[{"count":3,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4272\/revisions"}],"predecessor-version":[{"id":9818,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4272\/revisions\/9818"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3913"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=4272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=4272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=4272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}