TL;DR
- A new China-nexus adversary, WARP PANDA, has been identified targeting VMware vCenter and cloud environments.
- The group exhibits high technical sophistication and advanced operational security (OPSEC).
- WARP PANDA deploys custom malware including BRICKSTORM, Junction, and GuestConduit.
- Operations focus on long-term, covert intelligence collection aligned with PRC strategic interests.
- The adversary leverages vulnerabilities in edge devices and VMware environments for initial access.
CrowdStrike has identified a new, highly sophisticated adversary group dubbed WARP PANDA, which has been actively targeting VMware vCenter environments and cloud infrastructure throughout 2025. This group demonstrates advanced technical skills, strong operational security (OPSEC), and a deep understanding of cloud and virtual machine (VM) environments. Their focus on persistent, covert access suggests a primary motivation of intelligence collection for the People’s Republic of China (PRC).
The emergence of WARP PANDA and its custom toolset, including the BRICKSTORM backdoor and new implants like Junction and GuestConduit, signifies a growing threat to organizations relying on VMware’s virtualization technology and cloud services. Their ability to maintain long-term access and exfiltrate sensitive data poses a significant risk to legal, technology, and manufacturing sectors, particularly in the U.S.
What Happened
Throughout 2025, CrowdStrike observed multiple intrusions to VMware vCenter environments at U.S.-based entities. These attacks often began by exploiting internet-facing edge devices or vCenter vulnerabilities, subsequently pivoting to vCenter environments using valid credentials or further exploits. The adversary has maintained persistent access, with some intrusions dating back to late 2023.
WARP PANDA deploys a suite of custom malware. This includes BRICKSTORM, a Golang-based backdoor that masquerades as legitimate vCenter processes and offers file management and tunneling capabilities. Additionally, they have deployed two new Golang-based implants for ESXi environments: Junction, which acts as an HTTP server on ESXi hosts, and GuestConduit, a network traffic tunneling implant operating within guest VMs. These tools enable the adversary to move laterally, execute commands, and tunnel network traffic.
Impact
Organizations targeted by WARP PANDA face risks including long-term data exfiltration, compromised intellectual property, and disruption of operations. The adversary’s focus on intelligence collection suggests a particular interest in sensitive information related to legal cases, technology development, and manufacturing processes.
Furthermore, WARP PANDA has demonstrated capabilities in cloud environments, specifically targeting Microsoft Azure and Microsoft 365 services. They have accessed data from OneDrive, SharePoint, and Exchange, and have used techniques like session replay and the registration of new MFA devices to maintain persistence and access sensitive files. The cloning of domain controller VMs to extract Active Directory data highlights a significant threat to enterprise identity and access management systems.
Response
CrowdStrike has been actively tracking WARP PANDA’s activities and has developed specific detection mechanisms. The company’s Falcon platform offers next-generation endpoint protection designed to detect and respond to these advanced threats, including malware-free intrusions.
While specific patches for the vulnerabilities exploited by WARP PANDA are not detailed in the provided text, the implication is that organizations should ensure their VMware vCenter environments, edge devices, and cloud services are patched and up-to-date. CrowdStrike also provides resources such as log queries for detection and tables detailing Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs).
FAQ
What is WARP PANDA?
WARP PANDA is a newly identified China-nexus adversary group exhibiting high technical sophistication and focusing on long-term, covert intelligence collection.
What kind of malware does WARP PANDA use?
WARP PANDA deploys custom malware including BRICKSTORM (a backdoor), Junction (an ESXi implant), and GuestConduit (a VM network tunneling implant), alongside JSP web shells.
What environments does WARP PANDA target?
The adversary primarily targets VMware vCenter environments and cloud infrastructure, including Microsoft Azure and Microsoft 365 services.
What is the likely motivation behind WARP PANDA’s attacks?
Their operations are believed to be motivated by intelligence-collection requirements aligned with the strategic interests of the People’s Republic of China (PRC).