Which kind of hypervisor would malicious actors prefer to attack, ostensibly because it offers a greater attack surface?

A Type II hypervisor, also known as a hosted hypervisor, runs on top of a host operating system. This configuration can provide a broader attack surface for malicious actors compared to other types of hypervisors. The additional layer of the host OS adds complexity and potentially more vulnerabilities, as attackers can exploit weaknesses in both the hypervisor itself and the underlying operating system.

In a Type II environment, the hypervisor shares resources with the host OS and relies on the host for managing hardware interactions and system resources. If an attacker gains access to the host OS, they can potentially compromise all virtual machines operating under the hypervisor, making it an attractive target for exploitation. Therefore, the combination of a larger attack surface and the interdependencies between the hypervisor and the host OS enhances the appeal of a Type II hypervisor for malicious activities.

On the other hand, a bare metal hypervisor operates directly on hardware, minimizing dependencies and, thus, reducing the attack surface. Converged and Type IV hypervisors are relatively less common or represent different architectural designs that do not present the same level of risk as Type II hypervisors when it comes to targeted attacks.