{
	"id": "f85feb55-36a3-45a8-96aa-0e2ef199baf2",
	"created_at": "2026-04-06T00:11:59.565555Z",
	"updated_at": "2026-04-10T03:36:00.900406Z",
	"deleted_at": null,
	"sha1_hash": "1eaaa225d4b6c5ff7bfcda6eb005e19623d271ef",
	"title": "Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85049,
	"plain_text": "Unveiling WARP PANDA: A New Sophisticated China-Nexus\r\nAdversary\r\nBy Counter Adversary Operations\r\nArchived: 2026-04-02 12:39:43 UTC\r\nThroughout 2025, CrowdStrike has identified multiple intrusions targeting VMware vCenter environments at\r\nU.S.-based entities, in which newly identified China-nexus adversary WARP PANDA deployed BRICKSTORM\r\nmalware. WARP PANDA exhibits a high level of technical sophistication, advanced operations security (OPSEC)\r\nskills, and extensive knowledge of cloud and virtual machine (VM) environments. In addition to BRICKSTORM,\r\nWARP PANDA has also deployed JSP web shells and two new implants for ESXi environments — now named\r\nJunction and GuestConduit — during their operations.\r\nWARP PANDA demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks. Their operations are likely motivated by intelligence-collection\r\nrequirements aligned with the strategic interests of the People's Republic of China (PRC).\r\nDetails\r\nDuring the summer of 2025, CrowdStrike identified multiple instances in which the adversary now tracked as\r\nWARP PANDA targeted VMware vCenter environments at U.S.-based legal, technology, and manufacturing\r\nentities. \r\nWARP PANDA maintained long-term, persistent access to the compromised networks; in one of the intrusions,\r\ngaining initial access in late 2023. In addition to deploying JSP web shells and BRICKSTORM on VMware\r\nvCenter servers, the adversary also deployed two previously unobserved Golang-based implants — Junction and\r\nGuestConduit — on ESXi hosts and guest VMs, respectively.\r\nWARP PANDA frequently gains initial access by exploiting internet-facing edge devices and subsequently pivots\r\nto vCenter environments, using valid credentials or exploiting vCenter vulnerabilities. To move laterally within\r\nthe compromised networks, the adversary uses SSH and the privileged vCenter management account vpxuser .\r\n1\r\nIn some instances, CrowdStrike identified them using the Secure File Transfer Protocol (SFTP) to move data\r\nbetween hosts. \r\nUsing tradecraft focused on stealth and OPSEC, WARP PANDA leverages TTPs that include log clearing and file\r\ntimestomping, as well as creating malicious VMs2 — unregistered in the vCenter server — and shutting them\r\ndown after use. Similarly, in an attempt to blend in with legitimate network traffic, the adversary has used\r\nBRICKSTORM to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs. BRICKSTORM implants\r\nmasquerade as legitimate vCenter processes and have persistence mechanisms that allow the implants to survive\r\nafter file deletion and system reboots.\r\nhttps://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/\r\nPage 1 of 8\n\nOn numerous occasions, CrowdStrike observed WARP PANDA staging data for exfiltration. The adversary used\r\nan ESXi-compatible version of 7-Zip to extract and stage data from thin-provisioned snapshots of live ESXi guest\r\nVMs. Separately, WARP PANDA leveraged 7-Zip to extract data from VM disks hosted on a non-ESXi Linux-based hypervisor. CrowdStrike Services also found evidence that the adversary used their access to vCenter\r\nservers to clone domain controller VMs, likely in an attempt to collect sensitive data such as the Active Directory\r\nDomain Services database. \r\nWARP PANDA likely used their access to one of the compromised networks to engage in rudimentary\r\nreconnaissance against an Asia Pacific government entity. They also connected to various cybersecurity blogs and\r\na Mandarin-language GitHub repository. Further, during at least one intrusion, the adversary specifically accessed\r\nemail accounts of employees who work on topics that align with Chinese government interests.\r\nMalware\r\nBRICKSTORM\r\nBRICKSTORM is a backdoor written in Golang that frequently masquerades as legitimate vCenter processes, such\r\nas updatemgr or vami-http .\r\n3\r\n The implant has tunneling and file management capabilities allowing users to\r\nbrowse file systems and download or upload files.\r\nBRICKSTORM uses WebSockets to communicate with command-and-control (C2) infrastructure over TLS and\r\nuses multiple methods to obfuscate C2 communications and circumvent network-monitoring measures. These\r\nmethods include using DNS-over-HTTPS (DoH) to resolve C2 domains, creating multiple nested TLS channels\r\nfor C2 sessions, and leveraging public cloud services such as Cloudflare Workers and Heroku for C2\r\ninfrastructure.4\r\nJunction\r\nJunction is a Golang-based implant for VMware ESXi servers that masquerades as a legitimate ESXi service by\r\nlistening on port 8090 , which is also used by the legitimate VMware service vvold . The implant acts as an\r\nHTTP server, listening for incoming requests, and has extensive capabilities that include executing commands,\r\nproxying network traffic, and communicating with guest VMs through VM sockets (VSOCK).\r\nGuestConduit\r\nGuestConduit is a Golang-based network traffic–tunneling implant that runs within a guest VM and establishes a\r\nVSOCK listener on port 5555 . This implant facilitates communication between guest VMs and hypervisors.\r\nGuestConduit also parses JSON-formatted client requests to mirror or forward network traffic and likely is\r\nintended to work with Junction’s tunnelling commands.\r\nVulnerability Exploitation\r\nWARP PANDA has exploited multiple vulnerabilities in edge devices and VMware vCenter environments during\r\ntheir operations  (Table 1).\r\nhttps://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/\r\nPage 2 of 8\n\nTable 1. Vulnerabilities exploited by WARP PANDA\r\nVulnerability Description\r\nCVE-2024-21887 and\r\nCVE-2023-46805\r\nVulnerabilities affecting Ivanti Connect Secure VPN appliances and Ivanti Policy\r\nSecure gateways; this exploit chain bypasses authentication, enabling arbitrary\r\nremote command execution\r\nCVE-2024-38812 Heap-overflow vCenter vulnerability in the DCERPC protocol’s implementation\r\nCVE-2023-46747 Authentication-bypass vulnerability affecting select F5 BIG-IP devices\r\nCVE-2023-34048\r\nOut-of-bounds (OOB) write vCenter vulnerability in the DCERPC protocol’s\r\nimplementation; can lead to remote code execution (RCE)\r\nCVE-2021-22005 Critical-severity vulnerability affecting vCenter servers\r\nCloud Activity\r\nWARP PANDA is a cloud-conscious adversary capable of moving laterally, accessing sensitive data, and\r\nestablishing persistence in cloud environments.\r\nIn late summer 2025, the adversary exploited access to multiple entities’ Microsoft Azure environments, primarily\r\nto access Microsoft 365 data stored in OneDrive, SharePoint, and Exchange. In one instance, the adversary\r\nobtained user session tokens — likely by exfiltrating user browser files — and tunneled traffic through\r\nBRICKSTORM implants to access Microsoft 365 services via session replay. The adversary further accessed and\r\ndownloaded sensitive SharePoint files related to an entity's network engineering and incident response teams. \r\nIn at least one case, to establish persistence, the adversary registered a new multifactor authentication (MFA)\r\ndevice via an Authenticator app code after initially logging into a user account. In another intrusion, the adversary\r\nused the Microsoft Graph API to enumerate service principles, applications, users, directory roles, and emails.\r\nConclusion\r\nActive since at least 2022, WARP PANDA is a cloud-conscious targeted intrusion adversary that exhibits\r\nadvanced technical skills and distinct malware use. To date, WARP PANDA is the only adversary that\r\nCrowdStrike Intelligence has observed leveraging BRICKSTORM, GuestConduit, and Junction; however, industry\r\nreporting has noted that BRICKSTORM is possibly leveraged by multiple adjacent China-nexus actors.5\r\nThe adversary primarily targets entities in North America and consistently maintains persistent, covert access to\r\ncompromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests. \r\nWARP PANDA will likely maintain their intelligence-collection operations in the near to long term. This\r\nassessment is made with moderate confidence based on the adversary’s significant technical capabilities and focus\r\non long-term access operations, which suggest they are associated with a well-resourced organization that has\r\nheavily invested in cyberespionage capabilities.\r\nhttps://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/\r\nPage 3 of 8\n\nRecommendations\r\nThese recommendations can be implemented to help protect against the activity described in this blog post:\r\nMonitor for the creation of unsanctioned VMs; CrowdStrike Services offers a tool to identify unregistered\r\nVMware VMs6\r\nRetain and monitor ESXi and vCenter syslog via CrowdStrike Falcon® Next-Gen SIEM\r\nAudit unsanctioned outbound connections to unexpected network destinations and known command-and-control (C2) infrastructure associated with BRICKSTORM\r\nConsider disabling SSH access to VMware ESXi hosts\r\nMonitor for SSH authentications, specifically authentications as root and vpxuser\r\nForward vSphere syslog to an external platform\r\nFor daily administration, leverage local accounts using the principle of least privilege\r\nEnable ESXi’s execInstalledOnly enforcement setting\r\nFor ESXi versions 8.0 or later, deactivate shell access for the vpxuser account on ESXi hosts\r\nRestrict outbound internet access from ESXi and vCenter\r\nImplement strict network segmentation and firewall rules for ESXi management interfaces\r\nMonitor and restrict nonstandard port usage on ESXi servers, particularly the use of port 8090 and other\r\noptional service ports\r\nAccess vCenter only via an identity federation provider that mandates MFA\r\nEnsure EDR solutions are installed on guest VMs to detect potential tunneling activities\r\nInstall security patches for vSphere infrastructure\r\nEnforce password policies and regular password rotation\r\nRegularly rotate administrative credentials and API keys\r\nAppendix\r\nFalcon LogScale Query\r\nThis CrowdStrike Falcon® LogScale query detects the activity described in this blog post. Network matches from\r\nVMware vSphere infrastructure should be investigated as a priority.\r\n// Hunting rule for indicators\r\ncase { in(\"SHA256HashData\",\r\nvalues=[\"40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042\",\r\n\"88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed\",\r\n\"9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806\",\r\n\"40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557\"]);\r\nin(\"RemoteAddressIP4\", values=[\"149.28.120.31\", \"208.83.233.14\"]) } | table([cid, aid, #event_simpleName, Comput\r\nIndicators of Compromise\r\nThis table details the IOCs related to the information provided in this blog post.\r\nhttps://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/\r\nPage 4 of 8\n\nIOC Description\r\n40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042 GuestConduit SHA256 hash\r\n88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed Junction SHA256 hash\r\n9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806 Junction SHA256 hash\r\n40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557 BRICKSTORM SHA256 hash\r\n208.83.233[.]14\r\nIP address leveraged by WARP\r\nPANDA\r\n149.28.120[.]31\r\nIP address leveraged by WARP\r\nPANDA\r\nMITRE ATT\u0026CK \r\nThis table details the tactics and techniques described in this blog post.\r\nTactic Technique Observable\r\nResource\r\nDevelopment\r\nT1583.001 - Acquire\r\nInfrastructure: Domains\r\nWARP PANDA uses Cloudflare DNS services to\r\nregister C2 domains\r\nT1583.003 - Acquire\r\nInfrastructure: Virtual Private\r\nServer\r\nWARP PANDA uses VPS hosting providers\r\nT1583.007 - Acquire\r\nInfrastructure: Serverless\r\nBRICKSTORM uses infrastructure hosted behind\r\nCloudflare and has used Cloudflare Workers and\r\nHeroku for C2 communications\r\nT1584.008 - Compromise\r\nInfrastructure: Network\r\nDevices\r\nWARP PANDA targets internet-facing edge devices\r\nT1588.001 - Obtain\r\nCapabilities: Malware\r\nWARP PANDA has access to BRICKSTORM,\r\nJunction, and GuestConduit\r\nT1608.003 - Stage Capabilities:\r\nInstall Digital Certificate\r\nWARP PANDA uses TLS certificates on C2\r\ninfrastructure\r\nInitial Access\r\nT1078.004 - Valid Accounts:\r\nCloud Accounts\r\nWARP PANDA has gained access to Microsoft Azure\r\nenvironments, specifically targeting Office365\r\nresources\r\nhttps://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/\r\nPage 5 of 8\n\nT1190 - Exploit Public-Facing\r\nApplication\r\nWARP PANDA has exploited vulnerabilities in\r\ninternet-facing edge devices to gain initial network\r\naccess\r\nPersistence\r\nT1078.001 - Valid Accounts:\r\nDefault Accounts\r\nWARP PANDA has leveraged the legitimate\r\nvpxuser account for privileged access to vCenter\r\nservers\r\nT1098.001 - Account\r\nManipulation: Additional Cloud\r\nCredentials\r\nWARP PANDA has registered a new MFA device\r\nusing an Authenticator app code\r\nT1505.003 - Server Software\r\nComponent: Web Shell\r\nWARP PANDA has used web shells to maintain\r\npersistence\r\nDefense\r\nEvasion\r\nT1036.004 - Masquerading:\r\nMasquerade Task or Service\r\nBRICKSTORM and Junction masquerade as\r\nlegitimate VMware processes and services\r\nT1070.004 - Indicator\r\nRemoval: File Deletion\r\nWARP PANDA has deleted files to avoid detection\r\nT1070.006 - Indicator\r\nRemoval: Timestomp\r\nWARP PANDA has modified file timestamps to avoid\r\ndetection and blend in with legitimate files\r\nT1564.006 - Hide Artifacts:\r\nRun Virtual Instance\r\nWARP PANDA has created malicious VMs within the\r\nVMware environment\r\nDiscovery\r\nT1083 - File and Directory\r\nDiscovery\r\nJunction allows a connected client to browse and\r\ndownload files from the host machine\r\nLateral\r\nMovement\r\nT1021.004 - Remote Services:\r\nSSH\r\nWARP PANDA has used SSH to move between\r\nvCenter servers and ESXi hosts\r\nT1550.001 - Use Alternate\r\nAuthentication Material:\r\nApplication Access Token\r\nWARP PANDA has moved laterally between different\r\ncloud services within the Azure environment\r\nCollection T1114.002 - Email Collection:\r\nRemote Email Collection\r\nWARP PANDA has gained access to mailboxes\r\nT1213 - Data from Information\r\nRepositories\r\nWARP PANDA has gained access to sensitive files\r\nT1213.002 - Data from\r\nInformation Repositories:\r\nSharePoint\r\nWARP PANDA has used BRICKSTORM to access\r\nand download sensitive SharePoint files\r\nhttps://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/\r\nPage 6 of 8\n\nT1530 - Data from Cloud\r\nStorage\r\nWARP PANDA has accessed cloud environments to\r\ncollect sensitive information\r\nT1560.001 - Archive Collected\r\nData: Archive via Utility\r\nWARP PANDA has used 7-Zip to compress data\r\nbefore exfiltration\r\nCommand and\r\nControl\r\nT1071.001 - Application Layer\r\nProtocol: Web Protocols\r\nBRICKSTORM uses WebSockets to communicate\r\nwith C2 infrastructure over TLS\r\nT1071.004 - Application Layer\r\nProtocol: DNS\r\nBRICKSTORM uses DNS-over-HTTPS to resolve C2\r\ndomains\r\nT1090 - Proxy\r\nJunction allows a connected client to start a TCP or\r\nUDP proxy; GuestConduit allows traffic proxying\r\nfrom a host hypervisor to a different endpoint address\r\nT1090.003 - Proxy: Multi-hop\r\nProxy\r\nWARP PANDA has used commercial VPN services\r\nT1095 - Non-Application Layer\r\nProtocol\r\nJunction and GuestConduit can both communicate\r\nusing VSOCK network connections\r\nT1572 - Protocol Tunneling\r\nJunction can forward network traffic over a VSOCK\r\nconnection to a listening virtual machine (VM)\r\nT1573.002 - Encrypted\r\nChannel: Asymmetric\r\nCryptography\r\nBRICKSTORM can communicate with C2\r\ninfrastructure via TLS\r\nExfiltration\r\nT1041 - Exfiltration Over C2\r\nChannel\r\nWARP PANDA has exfiltrated archived data to C2\r\ninfrastructure\r\n1\r\n The vpxuser account is native to vCenter-managed ESXi hosts. The account’s password is random, managed\r\nby vCenter, and unique for each ESXi host. Automatically changed on a regular basis, the password is stored in an\r\nencrypted form on the vCenter server. The account should only be used by vCenter to manage ESXi. Any\r\nevidence of SSH activity using this account should be thoroughly investigated, as such activity is likely malicious.\r\n2\r\n https[:]//github[.]com/CrowdStrike/VirtualGHOST\r\n3\r\n https[:]//cloud[.]google[.]com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement\r\n4\r\n https[:]//www[.]nviso[.]eu/blog/nviso-analyzes-brickstorm-espionage-backdoor\r\n5\r\n https[:]//cloud[.]google[.]com/blog/topics/threat-intelligence/brickstorm-espionage-campaign\r\n6\r\n https[:]//github[.]com/CrowdStrike/VirtualGHOST\r\nhttps://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/\r\nPage 7 of 8\n\nSource: https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/\r\nhttps://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/"
	],
	"report_names": [
		"warp-panda-cloud-threats"
	],
	"threat_actors": [
		{
			"id": "26c07e6d-5095-4d13-95d1-debe836e19ab",
			"created_at": "2026-01-22T02:00:03.669144Z",
			"updated_at": "2026-04-10T02:00:03.921163Z",
			"deleted_at": null,
			"main_name": "WARP PANDA",
			"aliases": [],
			"source_name": "MISPGALAXY:WARP PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434319,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1eaaa225d4b6c5ff7bfcda6eb005e19623d271ef.pdf",
		"text": "https://archive.orkl.eu/1eaaa225d4b6c5ff7bfcda6eb005e19623d271ef.txt",
		"img": "https://archive.orkl.eu/1eaaa225d4b6c5ff7bfcda6eb005e19623d271ef.jpg"
	}
}