WARP PANDA: China-Linked APT Targets VMware Infrastructure

A highly sophisticated Chinese threat actor has been systematically compromising VMware virtualization environments across U.S. organizations since at least 2022. Security researchers at CrowdStrike have designated this adversary WARP PANDA, tracking multiple intrusion campaigns throughout 2025 that demonstrate exceptional operational security and deep expertise in cloud and virtual infrastructure.

The threat actor's operations suggest intelligence-gathering objectives consistent with Chinese state interests. WARP PANDA prioritizes stealth over speed, establishing persistent footholds that can remain undetected for years while systematically extracting sensitive data.

Attack Methodology and Initial Access

WARP PANDA typically breaches target networks by exploiting vulnerabilities in internet-facing edge devices before pivoting toward VMware vCenter management platforms. Once inside, the adversary leverages either stolen credentials or additional vCenter vulnerabilities to expand access across virtualized infrastructure.

The group demonstrates particular proficiency in exploiting a range of known vulnerabilities:

Edge Device Vulnerabilities: The adversary has exploited authentication bypass flaws in Ivanti Connect Secure VPN appliances (CVE-2024-21887 and CVE-2023-46805), enabling remote command execution without valid credentials. F5 BIG-IP devices have also fallen victim through CVE-2023-46747, another authentication bypass vulnerability.

VMware-Specific Exploits: Multiple vCenter vulnerabilities appear in WARP PANDA's toolkit, including a heap overflow in the DCERPC protocol implementation (CVE-2024-38812), an out-of-bounds write vulnerability (CVE-2023-34048) that permits remote code execution, and a critical-severity flaw from 2021 (CVE-2021-22005) that apparently remains unpatched in some environments.

CrowdStrike discovered intrusions where initial access occurred in late 2023, with the adversary maintaining continuous presence well into 2025. This multi-year persistence demonstrates both patience and confidence in their operational security measures.

Custom Malware Arsenal

WARP PANDA deploys a distinctive set of tools not observed in use by other threat actors, suggesting proprietary development capabilities.

BRICKSTORM Backdoor

The primary payload is BRICKSTORM, a Golang-based backdoor that camouflages itself as legitimate vCenter processes like updatemgr or vami-http. This process masquerading makes detection significantly more challenging for security teams relying on process monitoring.

BRICKSTORM provides comprehensive remote access through tunneling and file management capabilities, allowing operators to navigate file systems and transfer data bidirectionally. The malware's communication architecture reveals considerable sophistication:

WebSocket connections carry command-and-control traffic over TLS encryption, while DNS-over-HTTPS resolves C2 domain names to evade DNS-based monitoring. The malware creates nested TLS channels, adding multiple encryption layers that complicate network traffic analysis.

Infrastructure choices further obscure attribution and detection. WARP PANDA leverages public cloud services including Cloudflare Workers and Heroku for command-and-control operations, blending malicious traffic with legitimate cloud service communication patterns.

Persistence mechanisms ensure BRICKSTORM survives file deletion attempts and system reboots, requiring deliberate remediation beyond simple file removal.

Junction: ESXi Host Implant

Junction represents a specialized tool for VMware ESXi environments. This Golang implant masquerades as a legitimate service by listening on port 8090, which ESXi's vvold service also uses.

Operating as an HTTP server awaiting incoming requests, Junction provides extensive capabilities including command execution, network traffic proxying, and communication with guest virtual machines through VM sockets (VSOCK). This last capability proves particularly powerful, enabling the adversary to interact with virtualized systems without traversing conventional network paths.

GuestConduit: VM Communication Bridge

GuestConduit complements Junction by running inside guest virtual machines. This Golang implant establishes a VSOCK listener on port 5555, facilitating communication between guest VMs and hypervisors.

The tool parses JSON-formatted client requests to mirror or forward network traffic, apparently designed to work in tandem with Junction's tunneling commands. This architecture creates a covert communication channel between hypervisor and guest that bypasses standard network monitoring.

The pairing of Junction and GuestConduit demonstrates architectural planning—these aren't opportunistic tools but components of an integrated access framework.

Lateral Movement and Stealth Techniques

Once established, WARP PANDA moves laterally through compromised networks using SSH and the privileged vCenter management account vpxuser. This built-in administrative account provides elevated access across ESXi hosts, making it an attractive target.

Some intrusions involved Secure File Transfer Protocol for moving data between hosts, suggesting the adversary adapts their toolkit to available protocols and monitoring blind spots.

Operational security measures permeate WARP PANDA's activities. Log clearing removes evidence of actions, while file timestomping alters filesystem metadata to obscure when files were created or modified. These anti-forensic techniques complicate incident response and attribution efforts.

A particularly noteworthy tactic involves creating malicious virtual machines that remain unregistered in vCenter server inventories. The adversary spins up these VMs for specific tasks, then shuts them down afterward—effectively creating ephemeral infrastructure that exists outside normal administrative visibility.

BRICKSTORM's tunneling capabilities route traffic through vCenter servers, ESXi hosts, and guest VMs, creating multi-hop network paths that blend with legitimate administrative traffic. Distinguishing malicious from authorized activity becomes exceptionally difficult when adversaries leverage the same pathways administrators use.

Data Exfiltration Operations

CrowdStrike observed numerous instances of WARP PANDA staging data for extraction. The adversary employed an ESXi-compatible version of 7-Zip to compress and package data from thin-provisioned snapshots of running guest VMs—a technique that avoids disrupting live systems while accessing their data.

In separate operations targeting non-ESXi Linux-based hypervisors, the threat actor again leveraged 7-Zip to extract data from virtual machine disk files.

Perhaps most concerning, evidence indicates WARP PANDA used vCenter access to clone domain controller VMs. This action likely aimed to capture the Active Directory Domain Services database, which contains password hashes, group memberships, and other sensitive identity information for entire organizations.

The adversary also conducted reconnaissance against an Asia Pacific government entity from one compromised network, suggesting the intrusions serve as launch points for additional targeting. Connections to cybersecurity blogs and a Mandarin-language GitHub repository appeared in the activity logs, possibly indicating research into defensive capabilities or exploitation techniques.

During at least one intrusion, WARP PANDA specifically accessed email accounts belonging to employees working on topics aligned with Chinese government strategic interests—a targeting precision that underscores intelligence-gathering objectives.

Cloud Environment Exploitation

WARP PANDA demonstrates cloud-native capabilities extending beyond traditional on-premises infrastructure. In late summer 2025, the adversary exploited access to multiple organizations' Microsoft Azure environments, primarily targeting Microsoft 365 data repositories.

The threat actor accessed OneDrive, SharePoint, and Exchange to extract sensitive information. In one sophisticated operation, WARP PANDA obtained user session tokens—likely by exfiltrating browser credential files—and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via session replay attacks.

This technique bypasses password-based authentication by replaying valid session tokens, effectively impersonating legitimate users without needing their credentials. The adversary downloaded sensitive SharePoint documents related to network engineering and incident response teams, potentially gaining insight into defensive capabilities and network architecture.

To establish persistence in cloud environments, WARP PANDA registered new multifactor authentication devices via Authenticator app codes after initially compromising user accounts. This grants continued access even if passwords change, as the adversary controls an enrolled MFA device.

In another intrusion, the threat actor used Microsoft Graph API to enumerate service principals, applications, users, directory roles, and emails. This reconnaissance provides a comprehensive map of cloud identity architecture and permissions, identifying high-value targets and potential privilege escalation paths.

Attribution and Victimology

Active since at least 2022, WARP PANDA primarily targets North American entities, with observed victims spanning legal, technology, and manufacturing sectors. The adversary's focus on maintaining persistent, covert access over months or years indicates intelligence collection rather than financially motivated cybercrime.

CrowdStrike Intelligence notes that WARP PANDA remains the only threat actor observed using BRICKSTORM, GuestConduit, and Junction in combination. However, industry reporting suggests BRICKSTORM may be shared among multiple adjacent China-nexus actors, complicating attribution and suggesting possible collaboration or tool-sharing within Chinese intelligence apparatus.

The sophistication, resource investment, and operational patience displayed point toward state sponsorship. The technical capabilities required to develop custom implants for ESXi environments, maintain multi-year persistent access, and conduct coordinated cloud exploitation campaigns indicate a well-funded organization with significant expertise.

Future Outlook

WARP PANDA will almost certainly continue intelligence-collection operations targeting Western organizations for the foreseeable future. The substantial investment in custom tooling, deep virtualization expertise, and demonstrated operational success create strong incentives for continued activity.

The adversary's focus on virtualization infrastructure proves strategically sound. VMware environments host critical business systems, contain sensitive data, and often receive less security scrutiny than endpoint systems. Compromising hypervisors grants access to multiple guest systems simultaneously while evading endpoint detection solutions.

As organizations increasingly migrate workloads to cloud and virtualized infrastructure, threat actors like WARP PANDA who specialize in these environments gain strategic advantage. Traditional security architectures focused on perimeter defense and endpoint protection often lack visibility into hypervisor-level activity.

Defensive Recommendations

Organizations operating VMware infrastructure should implement multiple defensive layers:

Visibility and Monitoring: Deploy monitoring for unauthorized VM creation, particularly unregistered VMs that don't appear in vCenter inventories. Forward ESXi and vCenter syslogs to external platforms for retention and analysis. Monitor SSH authentications, especially for privileged accounts like root and vpxuser.

Access Controls: Consider disabling SSH access to ESXi hosts entirely when not required for operations. Implement strict network segmentation isolating management interfaces from general network access. Restrict outbound internet connectivity from ESXi and vCenter servers. Access vCenter exclusively through identity federation providers mandating multifactor authentication.

Configuration Hardening: Enable ESXi's execInstalledOnly enforcement setting to prevent execution of unsigned code. For ESXi version 8.0 or later, deactivate shell access for the vpxuser account. Monitor and restrict nonstandard port usage, particularly port 8090 and other optional service ports that malware might exploit.

Patch Management: Apply security updates for vSphere infrastructure promptly, particularly addressing the vulnerabilities WARP PANDA has demonstrated exploiting. Maintain current patches for edge devices including VPN appliances and load balancers.

Credential Management: Enforce strong password policies with regular rotation schedules. Rotate administrative credentials and API keys frequently. Use local accounts with least-privilege principles for daily administration rather than broad administrative access.

Detection: Install endpoint detection and response solutions on guest VMs to identify tunneling activities and suspicious processes. Audit unsanctioned outbound connections to unexpected destinations and known C2 infrastructure associated with BRICKSTORM.

The challenge remains substantial. WARP PANDA's operational security discipline, technical sophistication, and patient approach create a formidable adversary. Organizations must assume breach and focus on rapid detection and response rather than relying solely on prevention.