The new technique, spotted by Mandiant in April, involves using malicious vSphere Installation Bundles (VIBs). A VIB is a collection of files packaged into a single archive to facilitate distribution — they are similar to a tarball or ZIP archive.

VIB packages can be used to create startup tasks, custom firewall rules, or to deploy custom binaries when an ESXi machine is rebooted. Administrators typically use these packages to maintain systems and deploy updates, but it appears that malicious actors have found a way to abuse them.