Sophisticated threat groups started closing in on the VMware remote code execution flaw a week after a patch was deployed.