A newly identified China-nexus cyber adversary, tracked by CrowdStrike as WARP PANDA, has emerged as one of the most technically sophisticated espionage groups targeting US organizations in 2025.According to analysts, the group has conducted multiple intrusions against legal, technology, and manufacturing entities, focusing on VMware vCenter environments and cloud platforms.Investigators say the operations reveal a well-resourced espionage apparatus aligned with the long-term intelligence priorities of the People’s Republic of China.
CrowdStrike’s latest findings underscore a troubling escalation: adversaries are no longer simply breaching networks but embedding themselves deeply within hybrid cloud and virtualization infrastructure to maintain covert, persistent access for years at a time.Long-running campaign CrowdStrike’s investigation shows that WARP PANDA initially infiltrated some victim networks as early as late 2023, later expanding operations throughout 2025.Once inside, the group demonstrated an unusually deep understanding of VMware environments by targeting vCenter servers and ESXi hypervisors.
Their toolkit included JSP web shells, the BRICKSTORM malware family, and two previously unknown Golang-based implants named Junction and GuestConduit.This approach reflects a strategic shift in global espionage tradecraft.By compromising virtualization layers, attackers can observe or manipulate data from multiple guest systems simultaneously.
Such access allows them to bypass traditional endpoint defenses, making detection far more difficult.CrowdStrike notes that WARP PANDA’s ability to maintain long-term persistence indicates both high skill and a singular focus on extracting valuable internal and national-security-relevant data.Stealth techniques To gain initial entry, WARP PANDA exploited internet-facing devices and then pivoted into vCenter systems using valid credentials or known vulnerabilities.
The group routinely used SSH, SFTP, and the privileged vpxuser account to move laterally across networks.Investigators also observed log wiping, file timestomping, and the creation of malicious virtual machines designed to operate without appearing in the vCenter inventory.Such techniques highlight the ongoing challenge facing defenders: adversaries increasingly exploit the very management tools administrators depend upon.
By blending malicious traffic with normal virtualization operations, WARP PANDA effectively concealed its foothold.One of the group’s most notable methods involved tunneling traffic through BRICKSTORM implants on vCenter servers, ESXi hosts, and guest VMs.This tactic enabled covert command-and-control and data movement in ways that closely mimic routine administrative functions.
Data theft and targeting Across multiple intrusions, CrowdStrike observed WARP PANDA staging data for exfiltration.The group extracted information from thin-provisioned VM snapshots using an ESXi-compatible version of 7-Zip and cloned domain controller virtual machines to access sensitive Active Directory data.Investigators also uncovered reconnaissance activity involving an Asia Pacific government entity.
During at least one intrusion, operators accessed the email accounts of employees working on issues aligned with PRC strategic interests.Analysts say this pattern reflects a broader intelligence-collection mission, suggesting the group supports geopolitical objectives rather than pursuing financial gain.Cloud intrusions and MFA abuse WARP PANDA’s cloud-focused operations further distinguish it from many threat actors.
By summer 2025, the group had infiltrated Microsoft Azure environments at multiple organizations, accessing email, OneDrive, and SharePoint.In one case, operators replayed stolen session tokens via BRICKSTORM tunnels to reach Microsoft 365 resources.They also accessed files relating to network engineering and incident response, raising concerns that stolen knowledge could be weaponized in future attacks.
In another instance, the group registered its own MFA device to maintain persistent cloud access.CrowdStrike emphasizes that such actions demonstrate a clear understanding of enterprise identity systems and the weaknesses that arise when authentication logs are not closely monitored.Implications and outlook Active since at least 2022, WARP PANDA is the only known adversary using the combined BRICKSTORM, Junction, and GuestConduit toolset.
Analysts assess with moderate confidence that the group will continue to operate in the long term, supported by extensive resources and a mandate to collect strategic intelligence.The campaign highlights a pivotal shift in state-aligned cyber operations: adversaries are targeting virtualization and cloud identity layers as primary entry points.As organizations rely more heavily on hybrid infrastructure, defenders must assume these components are high-value espionage targets.
CrowdStrike advises organizations to closely monitor ESXi and vCenter logs, restrict outbound access from hypervisors, enforce strong credential rotation, and deploy EDR tools on guest VMs to detect tunneling behavior.The findings serve as a reminder that nation-state actors continue to evolve rapidly, exploiting the foundational technologies that underpin modern enterprise networks.Billions of Chrome users are getting a crucial safety upgrade before the year ends.
Google has begun rolling out Chrome 143, a December update that patches 13 security vulnerabilities.Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered every Monday, Tuesday and Thursday
