Identity Is the Entry Point: How UNC3944 Breached vSphere Without Malware

In July 2025, Mandiant's threat intelligence team detailed how the cyber group UNC3944, also known as Scattered Spider, executed a sophisticated breach of VMware vSphere environments by exploiting identity processes rather than software vulnerabilities. The attackers used social engineering techniques, such as vishing, to gain initial access to Active Directory (AD), escalating privileges rapidly by leveraging internal knowledge systems and AI tools. They then moved laterally within the virtual infrastructure, tampering with virtual machines and enabling remote access while maintaining a low profile to evade detection. The breach strategy emphasized identity as the primary target, highlighting the critical need for organizations to strengthen their identity security controls. This includes implementing stringent verification processes, enforcing multi-factor authentication, and maintaining robust monitoring and visibility to protect against identity-based attacks. The report underscores the importance of treating identity management as a fundamental component of security strategy, as traditional defenses focused solely on malware are insufficient to counter such sophisticated threats.