CrowdStrike has identified a sophisticated cyber-espionage campaign by Warp Panda targeting North American legal, technology and manufacturing firms to support Chinese government priorities.
The previously unknown threat actor exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills and extensive knowledge of cloud and virtual machine (VM) environments, according to information shared by CrowdStrike.
The cybersecurity firm said during the summer of 2025 it identified multiple instances in which the adversary targeted VMware vCenter environments.
According to CrowdStrike’s findings, Warp Panda likely used access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity.
The hackers have also been connected to various cybersecurity blogs and a Mandarin-language GitHub repository.
During at least one intrusion, the adversary specifically accessed email accounts of employees who work on topics that align with Chinese government interests.
The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with People's Republic of China (PRC) strategic interests.
Long-term and Persistent Malicious Activity
The activity has been described as long-term and persistent, with one intrusion in 2023 serving as Warp Panda’s initial access point.. CrowdStrike commented that the threat actor has been active since at least 2022.
The firm assessed with moderate confidence that the threat actor will likely maintain its intelligence-collection operations in the near to long term.
This focus on long-term access operations suggests they are associated with a well-resourced organization that has heavily invested in cyber espionage capabilities.
The adversary has been identified deploying BRICKSTORM malware on VMware VCenter servers, a backdoor written in Golang that frequently masquerades as legitimate vCenter processes, such as updatemgr or vami-http.
Warp Panda also deployed two previously unobserved Golang-based implants – Junction and GuestConduit – on ESXi hosts and guest VMs, respectively.
On December 4, the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory which confirmed a PRC state-sponsored cyber actor is using BRICKSTORM malware for long-term persistence on victim systems. The advisory also noted VMware vSphere platforms have been targeted.
CISA’s analysis stated that the cyber threat actors used BRICKSTORM for persistent access from at least April 2024 through at least September 3, 2025.
Warp Panda frequently gains initial access by exploiting internet-facing edge devices and subsequently pivots to vCenter environments, using valid credentials or exploiting vCenter vulnerabilities, CrowdStrike noted. To move laterally within the compromised networks, the adversary uses SSH and the privileged vCenter management account vpxuser.
In some instances, CrowdStrike identified them using the Secure File Transfer Protocol (SFTP) to move data between hosts.
TTPs also include log clearing and file timestomping, as well as creating malicious VMs – unregistered in the vCenter server – and shutting them down after use.
To blend in with legitimate network traffic, the adversary has used BRICKSTORM to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs.
BRICKSTORM implants masquerade as legitimate vCenter processes and have persistence mechanisms that allow the implants to survive after file deletion and system reboots.
Further, Warp Panda has exploited multiple vulnerabilities in edge devices and VMware vCenter environments during their operations