Which kind of hypervisor would malicious actors prefer to attack, ostensibly because it offers a greater attack surface?

The preferred target for malicious actors is likely a Type II hypervisor because it operates atop a host operating system, which is itself a potential point of vulnerability. Type II hypervisors function within a wider application environment, leveraging the resources of the host OS, which inherently exposes them to a broader array of threats. This reliance on the underlying operating system means that any vulnerabilities in the host can be exploited to attack the hypervisor and consequently, the virtual machines running above it.

The nature of Type II hypervisors means they can present a greater attack surface compared to a bare metal hypervisor, which installs directly on hardware and typically operates with less overhead and fewer dependencies. By being reliant on a host OS that runs multiple applications, Type II hypervisors can become entry points for attacks from both the virtual machines and other applications running on the host, increasing the complexity and scope of potential vulnerabilities.