Initially detailed in September 2022, UNC3886 has been using malicious vSphere Installation Bundles (VIBs) – packages that are typically used to maintain systems and deploy updates – to install backdoors on ESXi hypervisors and gain command execution, file manipulation, and reverse shell capabilities.