fuff can fuzz HTTP headers, which can be used to try to brute force virtual host entries.
ffuf -w /usr/share/wordlists/metasploit/namelist.txt \
-H "Host: FUZZ.$DOMAIN" \
-u https://$IPUse -fs $SIZE to remove results of a particular size from the list (which you’ll probably need to do when trying to brute force virtual hosted subdomains).