A long-running cyber-espionage campaign orchestrated by a previously unknown threat actor dubbed ‘Warp Panda,’ has been targeting VMware vCenter environments at US-based companies and deploying the Brickstorm malware, cybersecurity firm CrowdStrike has reported. Researchers assess the threat actor is aligned with People’s Republic of China (PRC) strategic intelligence priorities.
“In addition to BRICKSTORM, WARP PANDA has also deployed JSP web shells and two new implants for ESXi environments — now named Junction and GuestConduit — during their operations,” CrowdStrike noted.
Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning that a PRC state-sponsored actor has used BRICKSTORM to maintain long-term access to targeted VMware vSphere environments, with activity documented from at least April 2024 through September 3, 2025.
Warp Panda is high-skilled, the report says, has strong operational security practices, and is familiar with cloud environments and virtual machine (VM) infrastructure. Throughout the summer of 2025, researchers observed multiple attempts to compromise VMware vCenter environments across North American legal, technology and manufacturing sectors.
Access gained in at least one intrusion was later used to conduct reconnaissance on a government entity in the Asia-Pacific region. The threat actor has also been linked to cybersecurity blogs and a Mandarin-language GitHub repository.
Warp Panda gains initial access by exploiting internet-facing edge devices before pivoting to vCenter systems using valid credentials or exploiting known vulnerabilities. CrowdStrike also observed the group moving laterally via SSH and the privileged vCenter vpxuser account, transferring data with SFTP, clearing logs, timestomping files, and creating and later shutting down malicious, unregistered VMs to evade detection.
The adversary has also tunneled traffic through vCenter servers, ESXi hosts and guest VMs to blend into normal network activity.
During at least one compromise, attackers accessed email accounts of employees working on topics aligned with Chinese government interests. CrowdStrike says Warp Panda maintains persistent, covert access within victim networks, in some cases for years, indicating a well-resourced organization focused on long-term intelligence collection. The threat actor is believed to have been active since at least 2022.