SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Shadowy hackers dark room multiple screens cloud icons cyber espionage us cloud networks
#
Firewalls
#
Network Security
#
Advanced Persistent Threat Protection

WARP PANDA cyberespionage group targets US cloud networks

Fri, 5th Dec 2025
Author image
By Melvin Hipolito, Editor

CrowdStrike has identified a previously unreported China-linked cyberespionage group, WARP PANDA, that has targeted US-based legal, technology, and manufacturing sectors throughout 2025. The group specialises in sustained, covert operations across hybrid-cloud environments and has been active since at least 2022, according to new analysis shared by the company.

Cloud and hybrid targeting

WARP PANDA's operations focus on Microsoft 365, Azure, and VMware vCentre infrastructures. The group aims for long-term, hidden access to high-value data aligned with Chinese government interests. Intrusions have included exploiting cloud-based systems and targeting VMware vCentre environments, particularly at US organisations. These activities have extended to recent months, with some incursions tracing initial access to late 2023.

Custom malware deployment

The group has been observed using three bespoke malware implants known as BRICKSTORM, Junction, and GuestConduit, in addition to traditional web shells. BRICKSTORM, a backdoor written in Golang, mimics legitimate vCentre server processes and provides file browsing, download, upload, and tunnelling functions. Its persistence mechanisms enable it to survive file deletion and system reboots, while it communicates through encrypted channels leveraging multiple obfuscation strategies such as DNS-over-HTTPS and public cloud resources.

Junction operates on VMware ESXi servers, masquerading as a legitimate service and acting as an HTTP server with command execution and network proxying abilities. GuestConduit, also Golang-based, runs within guest VMs to tunnel network traffic and facilitate communication between guest VMs and hypervisors, designed to work in conjunction with Junction for advanced tunnelling operations.

Access and exfiltration techniques

WARP PANDA typically gains entry by exploiting publicly accessible network edge devices, later moving to vCentre environments using compromised credentials or exploiting vCentre vulnerabilities. For lateral movement, the group uses SSH and privileged service accounts. Instances have also been noted where Secure File Transfer Protocol (SFTP) was used for data movement between network hosts.

The group invests heavily in operational security. Techniques include log clearing, file timestamp modification, and the creation of malicious virtual machines which are left unregistered on vCentre before being shut down after use. To disguise their presence, BRICKSTORM is used to tunnel malicious traffic through compromised infrastructure, mimicking normal network activity.

For data staging and exfiltration, WARP PANDA employs utilities like 7-Zip to archive and extract data from both ESXi-based and Linux-based hypervisors. Evidence suggests the group has cloned domain controller VMs at targets, likely to obtain sensitive directory services data.

Cloud persistence strategies

In addition to on-premises activity, WARP PANDA has demonstrated capabilities in cloud persistence and data access. Access to Microsoft Azure environments has enabled the group to interact with Microsoft 365 data in OneDrive, SharePoint, and Exchange. In one incident, user session tokens were acquired and replayed for further access, and SharePoint files related to network engineering and incident response were downloaded.

The adversary has also registered new multifactor authentication devices to deepen persistence and used Microsoft Graph API to enumerate cloud assets. Email accounts with topics aligned to the Chinese government have been specifically accessed during these intrusions.

Vulnerability exploitation

The group has exploited multiple vulnerabilities, including those affecting Ivanti Connect Secure VPN, F5 BIG-IP devices, and VMware vCentre. Specific vulnerabilities cited include CVE-2024-21887, CVE-2023-46805, CVE-2024-38812, CVE-2023-46747, CVE-2023-34048, and CVE-2021-22005. These were used for initial access, authentication bypass, and remote code execution within target environments.

Targeted intelligence collection

CrowdStrike assesses that WARP PANDA's activity centres on intelligence collection aligned with the interests of the People's Republic of China. Targets have primarily been organisations within North America, although reconnaissance against an Asia Pacific government entity was also recorded.

"WARP PANDA will likely maintain their intelligence-collection operations in the near to long term. This assessment is made with moderate confidence based on the adversary's significant technical capabilities and focus on long-term access operations, which suggest they are associated with a well-resourced organization that has heavily invested in cyberespionage capabilities," said CrowdStrike Intelligence.
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Cyb3r Operations raises $5.4m to tackle cyber risk
Deepfake boom fuels relentless wave of celebrity scams
Phishing services drive 389% surge in account breaches
isVerified launches AI voice deepfake defence for execs
ChatGPT drives bulk of enterprise generative AI data risk

Top stories

NuSummit, Simbian launch AI-driven CognixMDR security SOC
Executive-level CISO titles surge amid rising scope strain
Ransomware hits record high as Qilin tops threat list
US travellers trust AI for trip ideas, not payments
Asimily boosts Cisco ISE with new device microsegmentation