A new sophisticated threat actor, identified as WARP PANDA, has emerged, aggressively targeting critical infrastructure across the United States. This China-nexus group demonstrates advanced capabilities in infiltrating VMware vCenter environments, focusing on legal, technology, and manufacturing organizations. Their emergence marks a significant escalation in cloud-based cyberattacks, with a clear aim to establish long-term access to sensitive networks and valuable data repositories.
Evidence suggests that WARP PANDA’s calculated attack campaigns may have begun as early as late 2023. The adversaries exhibit a profound understanding of cloud infrastructure and virtual machine environments, allowing them to navigate complex network topologies with ease. Their modus operandi often involves targeting internet-facing edge devices before pivoting to exploit vulnerabilities or compromised credentials within VMware vCenter environments, thereby securing a foothold within victim networks.
CrowdStrike security researchers were instrumental in identifying and tracking WARP PANDA after observing multiple coordinated intrusions throughout 2025. The researchers documented the deployment of three distinct tools by the threat actors: the BRICKSTORM malware, Java web shells, and two previously unknown implants named Junction and GuestConduit. This array of tools underscores the group’s commitment to maintaining persistent access and evading detection mechanisms within compromised systems.
WARP PANDA’s Advanced Infection Mechanisms and Persistence Tactics
BRICKSTORM serves as the primary backdoor for WARP PANDA. Written in Golang, it cunningly masquerades as legitimate vCenter processes, such as updatermgr or vami-http, to avoid initial scrutiny. The malware establishes communication with command-and-control servers through WebSocket connections encrypted with TLS, employing sophisticated obfuscation techniques to bypass network detection systems. Further enhancing its covert operations, BRICKSTORM utilizes DNS-over-HTTPS for domain resolution and creates nested TLS channels. For infrastructure hosting, the group leverages public cloud services like Cloudflare Workers and Heroku, adding another layer of complexity to tracking and disruption efforts.
The persistence mechanisms employed by WARP PANDA are indicative of advanced operational security practices aimed at maintaining long-term presence. The group utilizes Secure Shell (SSH) protocol and the privileged vpxuser account for lateral movement across networks. To further obscure their activities, they engage in log clearing and file timestomping. Security researchers have noted that WARP PANDA creates unregistered malicious virtual machines, which are subsequently shut down after use, effectively erasing their tracks. Additionally, they employ sophisticated traffic tunneling techniques, routing malicious communications through compromised systems to blend seamlessly with legitimate network activity.
Junction and GuestConduit are described as working in tandem to facilitate the group’s post-exploitation activities. Junction operates by listening on port 8090, enabling communication with guest virtual machines through virtual machine sockets. GuestConduit, in turn, facilitates the tunneling of network traffic within these virtual machines, providing a covert channel for data exfiltration or further command and control. These implants, alongside BRICKSTORM and web shells, paint a picture of a highly capable and adaptive threat actor.
The vulnerabilities exploited by WARP PANDA highlight the ongoing risks associated with misconfigured or unpatched virtual infrastructure. Among the noted exploits are authentication bypass and remote command execution vulnerabilities in Ivanti Connect Secure VPN and Ivanti Policy Secure devices (CVE-2024-21887, CVE-2023-46805). Additionally, VMware vCenter environments are targeted through heap-overflow vulnerabilities in its DCERPC protocol implementation (CVE-2024-38812) and out-of-bounds write vulnerabilities that enable remote code execution (CVE-2023-34048). Older but still relevant vulnerabilities, such as CVE-2021-22005 affecting vCenter servers, also appear to be within the threat actor’s arsenal.
The continued targeting of virtualization platforms like VMware vCenter by sophisticated actors like WARP PANDA underscores the critical importance of robust vulnerability management and proactive security measures for organizations relying on these technologies. As these environments become more central to IT operations, they also represent increasingly attractive targets for threat actors seeking significant impact and persistent access. Organizations must prioritize patching known vulnerabilities and implementing strong access controls to mitigate the risks posed by such advanced persistent threats.