China-Linked ‘Warp Panda’ Hacks North American Firms in Espionage Campaign
▼ Summary
– CrowdStrike identified a sophisticated cyber-espionage campaign by the previously unknown threat actor Warp Panda, which targets North American legal, tech, and manufacturing firms to support Chinese government priorities.
– The adversary exhibits high technical skill, persistently targets VMware vCenter environments, and uses custom malware like BRICKSTORM, Junction, and GuestConduit to maintain covert, long-term access.
– Warp Panda’s activities, active since at least 2022, are long-term and focused on intelligence collection, suggesting association with a well-resourced organization aligned with PRC strategic interests.
– The group’s tactics include exploiting internet-facing devices, using valid credentials or vulnerabilities to access vCenter, and employing techniques like log clearing and traffic tunneling to evade detection.
– A joint U.S. CISA advisory confirmed a PRC state-sponsored actor uses BRICKSTORM malware, with observed activity from at least April 2024 through September 2025, targeting VMware vSphere platforms.
A sophisticated and persistent cyber-espionage campaign, linked to Chinese state interests, has been targeting North American companies in the legal, technology, and manufacturing sectors. Cybersecurity analysts have identified a previously unknown threat actor, dubbed ‘Warp Panda,’ which demonstrates advanced technical skills and a deep understanding of cloud and virtual machine infrastructures. This group’s operations are characterized by long-term, covert access to victim networks, primarily for intelligence gathering that aligns with strategic priorities of the People’s Republic of China.
The campaign exhibits a high degree of operational security and technical sophistication. Investigators note the actor’s extensive familiarity with environments like VMware vCenter, which they have repeatedly targeted. Their methods include exploiting vulnerabilities in internet-facing devices to gain an initial foothold, then pivoting to vCenter systems using valid credentials or known security flaws. Once inside, they use tools like SSH and privileged management accounts to move laterally across the network.
A key component of their toolkit is the BRICKSTORM malware, a Golang-based backdoor designed to mimic legitimate vCenter processes. This malware provides persistent access that can survive file deletion and system reboots, allowing the hackers to maintain a long-term presence. In some cases, the group has used this access to perform basic reconnaissance against a government entity in the Asia Pacific region. They have also specifically targeted the email accounts of employees whose work aligns with Chinese governmental interests.
Beyond BRICKSTORM, the actors have deployed two other custom implants named Junction and GuestConduit on ESXi hosts and guest virtual machines, respectively. Their techniques for avoiding detection are thorough; they clear logs, alter file timestamps, and create malicious virtual machines that are not registered in the vCenter server, shutting them down after use. To obscure their data exfiltration, they have been observed tunneling traffic through compromised vCenter servers and virtual machines, blending malicious activity with normal network traffic.
The persistence and scope of this activity suggest a well-resourced organization heavily invested in cyber espionage. One intrusion dating back to 2023 served as an initial access point, with evidence indicating the group has been active since at least 2022. Analysts assess with moderate confidence that these intelligence-collection operations will continue in the near and long term. The campaign’s focus on maintaining stealthy, enduring access underscores its espionage objectives.
This assessment is corroborated by a recent joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which confirmed that a PRC state-sponsored actor is using BRICKSTORM malware for long-term persistence on victim systems. The advisory specifically noted the targeting of VMware vSphere platforms, with observed malicious activity spanning from at least April 2024 through September 2025. The connection to Chinese priorities is further supported by the group’s associations with various cybersecurity blogs and a Mandarin-language GitHub repository.
(Source: Info Security)
