.. /esxcfg-advcfg

Star

A command-line utility available in VMware ESXi to manage advanced configuration settings. It allows administrators to query, modify, and manage various advanced parameters that are not typically available through the standard vSphere Client or the ESXi host client interface.

• https://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/
• https://knowledge.broadcom.com/external/article?legacyId=2052302
• https://research.checkpoint.com/2026/dfir-report-the-gentlemen/

Adjust Performance

1. Increases the number of buffers to increase VM performance over network.

   esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity

   Use case

   An adversary may adjust the maximum capacity of buffer cache to increase performance of operations conducted over the network. This increases speed of encryption throughput.

   Privileges required

   Administrator

   Operating systems

   ESXi < 8.0

   Additional Procedural Examples

   • esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity > /dev/null 2>&1

   Tags

   E-Crime: Qilin

   Aka Agenda and is written in Golang. Uses double extortion technique and target large enterprises and high-value targets

   E-Crime: The Gentlemen

   The Gentlemen is a rapidly scaling ransomware-as-a-service group that leverages a lucrative affiliate model and multi-platform ransomware (including ESXi) to carry out fast, large-scale double-extortion attacks against enterprise targets worldwide.

2. Reduces the Buffer Cache Flush interval to increase VM performance over network.

   esxcfg-advcfg -s 20000 /BufferCache/FlushInterval

   Use case

   An adversary may adjust flush interval of buffer cache to increase performance of operations conducted over the network. It forces faster disk writes.

   Privileges required

   Administrator

   Operating systems

   ESXi < 8.0

   Additional Procedural Examples

   • esxcfg-advcfg -s 20000 /BufferCache/FlushInterval > /dev/null 2>&1

   Tags

   E-Crime: Qilin

   Aka Agenda and is written in Golang. Uses double extortion technique and target large enterprises and high-value targets

   E-Crime: The Gentlemen

   The Gentlemen is a rapidly scaling ransomware-as-a-service group that leverages a lucrative affiliate model and multi-platform ransomware (including ESXi) to carry out fast, large-scale double-extortion attacks against enterprise targets worldwide.