In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Turn AI Into Your Income Stream
The AI economy is booming, and smart entrepreneurs are already profiting. Subscribe to Mindstream and get instant access to 200+ proven strategies to monetize AI tools like ChatGPT, Midjourney, and more. From content creation to automation services, discover actionable ways to build your AI-powered income. No coding required, just practical strategies that work.
Warp Panda Targets U.S. Organizations With Persistent VMware Malware
A China-linked advanced persistent threat (APT) known as Warp Panda is conducting long-term cyber-espionage operations against U.S. legal, manufacturing, and technology organizations. The group relies heavily on VMware-focused malware, including the persistence-oriented BrickStorm, as well as related tooling such as Junction and GuestConduit. Their operations show a clear emphasis on stealth, long-term access, credential abuse, and exploitation of widely deployed edge devices.
Context
VMware vCenter environments remain high-value targets due to their privileged position in enterprise virtualized infrastructures. For nation-state actors with espionage objectives, persistence inside hypervisors grants access to sensitive workloads, domain controllers, and cloud-connected systems. Recent advisories from CISA and multiple threat intelligence vendors suggest that Chinese state-linked actors are increasingly standardizing toolchains such as BrickStorm to support multi-year campaigns.
What Happened
Warp Panda has been breaching U.S. organizations since at least 2022. Their operations begin with exploitation of vulnerable edge systems—such as Ivanti VPN appliances, F5 devices, and unpatched VMware vCenter servers—followed by lateral movement using valid credentials (e.g., the privileged vpxuser account).
Once inside, the group deploys a layered malware suite built for tunneling, covert data transfer, command execution, and resilient persistence. In multiple intrusions, Warp Panda used infected networks to pivot toward secondary reconnaissance targets, including an Asia-Pacific government entity.
Technical Breakdown
BrickStorm Malware
Masquerades as legitimate vCenter processes
Provides tunneling, file management, and privileged command execution
Designed for long-term persistence, including:
Automatic self-reinstallation
Restart routines if interrupted
Concealed network communication channels
Observed remaining undetected for nearly 400 days in a Google-tracked compromise
Supporting Malware Families
Junction (Golang):
Acts as an HTTP server on compromised VMware hosts
Executes commands, proxies traffic
Communicates between hypervisor and guest VMs using VSOCK
GuestConduit (Golang):
Enables network tunneling between VMs and hypervisors
Parses structured client requests (JSON)
Likely engineered to work alongside Junction and BrickStorm
Exploitation Activity
Warp Panda has been seen exploiting vulnerabilities across:
Ivanti Connect Secure VPN (CVE-2024-21887, CVE-2023-46805)
VMware vCenter (CVE-2024-38812, CVE-2023-34048, CVE-2021-22005)
F5 BIG-IP (CVE-2023-46747)
They also abused Microsoft Azure resources by:
Registering unauthorized MFA devices
Accessing OneDrive, SharePoint, Exchange
Using Microsoft Graph API for stealth reconnaissance
Impact Analysis
Warp Panda’s toolset enables:
Complete hypervisor compromise
Covert, multi-year persistence
Unauthorized access to domain controllers and VM-hosted sensitive data
Cross-environment reconnaissance across cloud and on-prem assets
Large-scale data staging via ESXi-compatible tools like 7-Zip
Stealthy exfiltration and flexible lateral movement paths
Organizations relying heavily on VMware or hybrid-cloud architectures face elevated exposure due to the group’s specialization in virtualization platforms and credential-based pivoting.
Why It Matters
This campaign highlights a critical trend: nation-state actors are operationalizing full VMware-stack malware ecosystems, enabling persistence below traditional EDR visibility. The combination of credential misuse, zero-day exploitation, hypervisor-level malware, and cloud API reconnaissance gives Warp Panda durable access that is difficult to detect and even harder to fully eradicate.
The campaign’s longevity and sophistication align with broader strategic intelligence objectives attributed to China-nexus operations.
Expert Commentary
CrowdStrike: Warp Panda is likely part of a broader ecosystem of China-aligned APTs using VMware malware families for long-term intelligence collection.
CISA: BrickStorm is specifically engineered for persistence, including mechanisms that restore the malware if disrupted.
Google Threat Analysis Group: Documented instances of the malware remaining undetected for over a year, reinforcing its stealth-first design.
Key Takeaways
Warp Panda represents a mature, persistent APT with deep VMware expertise.
BrickStorm and related malware families form a stacked persistence ecosystem.
Credential abuse remains central to lateral movement.
Exploitation spans VPN appliances, VMware vulnerabilities, and cloud APIs.
Detection requires hypervisor-level logging, identity monitoring, and strict patch governance.
Organizations with VMware-heavy environments face heightened risk.