CrowdStrike has identified multiple intrusions targeting VMware vCenter environments at U.S.-based entities, in which newly identified China-nexus adversary WARP PANDA deployed BRICKSTORM malware. WARP PANDA exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. In addition to BRICKSTORM, WARP PANDA has also deployed JSP web shells and two new implants for ESXi environments — now named Junction and GuestConduit — during their operations.
WARP PANDA demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks. Their operations are likely motivated by intelligence-collection requirements aligned with the strategic interests of the People's Republic of China (PRC).
Details
During the summer of 2025, CrowdStrike identified multiple instances in which the adversary now tracked as WARP PANDA targeted VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities.
WARP PANDA maintained long-term, persistent access to the compromised networks; in one of the intrusions, gaining initial access in late 2023. In addition to deploying JSP web shells and BRICKSTORM on VMware vCenter servers, the adversary also deployed two previously unobserved Golang-based implants — Junction and GuestConduit — on ESXi hosts and guest VMs, respectively.
WARP PANDA frequently gains initial access by exploiting internet-facing edge devices and subsequently pivots to vCenter environments, using valid credentials or exploiting vCenter vulnerabilities. To move laterally within the compromised networks, the adversary uses SSH and the privileged vCenter management account vpxuser.1 In some instances, CrowdStrike identified them using the Secure File Transfer Protocol (SFTP) to move data between hosts.
Using tradecraft focused on stealth and OPSEC, WARP PANDA leverages TTPs that include log clearing and file timestomping, as well as creating malicious VMs2 — unregistered in the vCenter server — and shutting them down after use. Similarly, in an attempt to blend in with legitimate network traffic, the adversary has used BRICKSTORM to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs. BRICKSTORM implants masquerade as legitimate vCenter processes and have persistence mechanisms that allow the implants to survive after file deletion and system reboots.
On numerous occasions, CrowdStrike observed WARP PANDA staging data for exfiltration. The adversary used an ESXi-compatible version of 7-Zip to extract and stage data from thin-provisioned snapshots of live ESXi guest VMs. Separately, WARP PANDA leveraged 7-Zip to extract data from VM disks hosted on a non-ESXi Linux-based hypervisor. CrowdStrike Services also found evidence that the adversary used their access to vCenter servers to clone domain controller VMs, likely in an attempt to collect sensitive data such as the Active Directory Domain Services database.
WARP PANDA likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity. They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository. Further, during at least one intrusion, the adversary specifically accessed email accounts of employees who work on topics that align with Chinese government interests.
Malware
BRICKSTORM
BRICKSTORM is a backdoor written in Golang that frequently masquerades as legitimate vCenter processes, such as updatemgr or vami-http.3 The implant has tunneling and file management capabilities allowing users to browse file systems and download or upload files.
BRICKSTORM uses WebSockets to communicate with command-and-control (C2) infrastructure over TLS and uses multiple methods to obfuscate C2 communications and circumvent network-monitoring measures. These methods include using DNS-over-HTTPS (DoH) to resolve C2 domains, creating multiple nested TLS channels for C2 sessions, and leveraging public cloud services such as Cloudflare Workers and Heroku for C2 infrastructure.4
Junction
Junction is a Golang-based implant for VMware ESXi servers that masquerades as a legitimate ESXi service by listening on port 8090, which is also used by the legitimate VMware service vvold. The implant acts as an HTTP server, listening for incoming requests, and has extensive capabilities that include executing commands, proxying network traffic, and communicating with guest VMs through VM sockets (VSOCK).
GuestConduit
GuestConduit is a Golang-based network traffic–tunneling implant that runs within a guest VM and establishes a VSOCK listener on port 5555. This implant facilitates communication between guest VMs and hypervisors. GuestConduit also parses JSON-formatted client requests to mirror or forward network traffic and likely is intended to work with Junction’s tunnelling commands.
Vulnerability Exploitation
WARP PANDA has exploited multiple vulnerabilities in edge devices and VMware vCenter environments during their operations (Table 1).
Cloud Activity
WARP PANDA is a cloud-conscious adversary capable of moving laterally, accessing sensitive data, and establishing persistence in cloud environments.
In late summer 2025, the adversary exploited access to multiple entities’ Microsoft Azure environments, primarily to access Microsoft 365 data stored in OneDrive, SharePoint, and Exchange. In one instance, the adversary obtained user session tokens — likely by exfiltrating user browser files — and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via session replay. The adversary further accessed and downloaded sensitive SharePoint files related to an entity's network engineering and incident response teams.
In at least one case, to establish persistence, the adversary registered a new multifactor authentication (MFA) device via an Authenticator app code after initially logging into a user account. In another intrusion, the adversary used the Microsoft Graph API to enumerate service principles, applications, users, directory roles, and emails.
Conclusion
Active since at least 2022, WARP PANDA is a cloud-conscious targeted intrusion adversary that exhibits advanced technical skills and distinct malware use. To date, WARP PANDA is the only adversary that CrowdStrike Intelligence has observed leveraging BRICKSTORM, GuestConduit, and Junction; however, industry reporting has noted that BRICKSTORM is possibly leveraged by multiple adjacent China-nexus actors.5
The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests.
WARP PANDA will likely maintain their intelligence-collection operations in the near to long term. This assessment is made with moderate confidence based on the adversary’s significant technical capabilities and focus on long-term access operations, which suggest they are associated with a well-resourced organization that has heavily invested in cyberespionage capabilities.
Recommendations
These recommendations can be implemented to help protect against the activity described in this blog post:
Monitor for the creation of unsanctioned VMs; CrowdStrike Services offers a tool to identify unregistered VMware VMs6
Retain and monitor ESXi and vCenter syslog via CrowdStrike Falcon® Next-Gen SIEM
Audit unsanctioned outbound connections to unexpected network destinations and known command-and-control (C2) infrastructure associated with BRICKSTORM
Consider disabling SSH access to VMware ESXi hosts
Monitor for SSH authentications, specifically authentications as root and vpxuser
Forward vSphere syslog to an external platform
For daily administration, leverage local accounts using the principle of least privilege
Enable ESXi’s execInstalledOnly enforcement setting
For ESXi versions 8.0 or later, deactivate shell access for the vpxuser account on ESXi hosts
Restrict outbound internet access from ESXi and vCenter
Implement strict network segmentation and firewall rules for ESXi management interfaces
Monitor and restrict nonstandard port usage on ESXi servers, particularly the use of port 8090 and other optional service ports
Access vCenter only via an identity federation provider that mandates MFA
Ensure EDR solutions are installed on guest VMs to detect potential tunneling activities
Install security patches for vSphere infrastructure
Enforce password policies and regular password rotation
Regularly rotate administrative credentials and API keys
Appendix
Falcon LogScale Query
This CrowdStrike Falcon® LogScale query detects the activity described in this blog post. Network matches from VMware vSphere infrastructure should be investigated as a priority.
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram
