CrowdStrike warns of China-Nexus WARP PANDA targeting VMware vCenter

CrowdStrike has revealed a series of sophisticated intrusions throughout 2025 linked to a newly identified China-nexus adversary, WARP PANDA, which has been actively compromising VMware vCenter environments across U.S.-based legal, technology, and manufacturing entities. The threat actor has deployed a complex malware stack, including BRICKSTORM, Junction, and GuestConduit, designed specifically to infiltrate vCenter and ESXi environments while maintaining long-term, covert access.

CrowdStrike’s analysis shows that WARP PANDA demonstrates advanced operational security, deep knowledge of cloud and virtualised environments, and a strategic focus on intelligence collection aligned with the interests of the People’s Republic of China (PRC). In multiple cases, the adversary maintained persistent access since late 2023.

During these intrusions, WARP PANDA exploited edge devices to gain initial access before pivoting to vCenter servers via valid credentials or known vulnerabilities. Once inside, the adversary deployed multiple implants, including JSP web shells, the BRICKSTORM Golang backdoor, and two newly discovered Golang-based implants, Junction on ESXi hosts and GuestConduit on guest VMs. These implants enabled stealthy tunnelling, command execution, and cross-VM communication.

The BRICKSTORM backdoor masqueraded as legitimate vCenter processes and used sophisticated C2 methods, including WebSockets over TLS, DNS-over-HTTPS, and cloud-based infrastructure via Cloudflare Workers and Heroku. WARP PANDA frequently used the implant to blend malicious traffic with legitimate VMware workflows.

CrowdStrike also observed extensive data staging and exfiltration activity, including the use of 7-Zip to extract data from thin-provisioned ESXi snapshots and cloning of domain controller VMs to capture sensitive Active Directory data. In one instance, credentials stolen from a compromised environment were used to conduct preliminary reconnaissance against a government entity in the Asia-Pacific region.

The adversary has also expanded its operations into cloud environments, exploiting Azure and Microsoft 365 services by replaying stolen session tokens, accessing SharePoint engineering data, enumerating Azure resources via Microsoft Graph API, and enrolling new MFA devices to maintain persistence.

Active since at least 2022, WARP PANDA remains one of the most sophisticated cloud-conscious espionage actors tracked by CrowdStrike. The company assesses with moderate confidence that WARP PANDA will continue long-term intelligence operations targeting key industries across North America.

CrowdStrike advises organisations to strengthen monitoring of VMware environments, restrict ESXi and vCenter access, enforce MFA via identity federation, track unsanctioned VMs, patch vSphere infrastructure, and deploy EDR solutions on guest VMs to detect tunnelling activity.

Read More:

India hit by 265 million cyberattacks: Seqrite’s 2026 report warns of escalating threats

CrowdStrike on empowering India’s channel partners for cybersecurity’s future

Quick Heal version 26: anti-fraud, dark-web monitoring and partner growth

How Confluent enables partner growth through developer education & AI integration