A newly identified China-nexus cyber adversary, tracked by CrowdStrike as WARP PANDA, has emerged as one of the most technically sophisticated espionage groups targeting US organizations in 2025.
According to analysts, the group has carried out several intrusions against legal, technology and manufacturing entities, targeting VMware vCenter environments and cloud platforms. Investigators say the operations uncovered a well-equipped espionage apparatus in line with the People’s Republic of China’s long-standing intelligence priorities.
CrowdStrike’s latest findings underscore an alarming escalation: adversaries are no longer simply disrupting networks, but embedding themselves deeply into hybrid cloud and virtualization infrastructure to maintain covert and persistent access for years.
Long running campaign
CrowdStrike’s investigation shows that WARP PANDA initially infiltrated some victim networks as early as late 2023, later expanding operations throughout 2025. Once inside, the group demonstrated an unusually deep understanding of the VMware environment by targeting vCenter servers and ESXi hypervisors. Their toolset included JSP web shells, the BRICKSTORM malware family, and two previously unknown Golang-based implants called Junction and GuestConduit.
This approach reflects a strategic shift in the global espionage trade. By compromising the virtualization layers, attackers can monitor or manipulate data from multiple host systems simultaneously. Such an approach allows them to bypass traditional endpoint defenses, making detection much more difficult. CrowdStrike notes that WARP PANDA’s ability to maintain long-term persistence demonstrates both high skill and a unique focus on obtaining valuable internal and national security data.
Stealth techniques
To gain initial entry, WARP PANDA leveraged Internet-connected devices and then reached into vCenter systems using valid credentials or known vulnerabilities. The group routinely used SSH, SFTP, and the privileged vpxuser account to move laterally across networks. Investigators also observed log deletion, file timing, and the creation of malicious virtual machines designed to run without appearing in the vCenter inventory.
These techniques highlight a continuing challenge facing defenders: adversaries are increasingly exploiting the very management tools that administrators depend on. By merging malicious traffic with normal virtualization operations, WARP PANDA has effectively hidden its foothold.
One of the group’s most notable methods involved tunneling traffic through BRICKSTORM implants on vCenter Servers, ESXi hosts, and guest VMs. This tactic enabled covert command and control and the movement of data in ways that closely mimic routine administrative functions.
Data theft and targeting
For multiple intrusions, CrowdStrike observed WARP PANDA staging data for exfiltration. The group extracted information from thin security VM snapshots using an ESXi-compatible version of 7-Zip and cloned domain controller VMs to access sensitive Active Directory data.
Investigators also discovered surveillance activity involving an Asia-Pacific government entity. During at least one breach, operators gained access to the email accounts of employees working on matters related to the PRC’s strategic interests. Analysts say the pattern reflects a broader intelligence-gathering mission, suggesting the group is promoting geopolitical goals rather than pursuing financial gain.
Cloud breaches and MFA abuse
WARP PANDA’s cloud-focused operations further differentiate it from many threat actors. By the summer of 2025, the group had penetrated the Microsoft Azure environment in various organizations and had access to email, OneDrive, and SharePoint. In one case, operators replayed stolen session tokens through BRICKSTORM tunnels to reach Microsoft 365 resources. They also gained access to files related to network engineering and incident response, raising concerns that the stolen knowledge could be exploited in future attacks.
In another case, a group registered their own MFA device to maintain persistent cloud access. CrowdStrike emphasizes that such actions demonstrate a clear understanding of corporate identity systems and the weaknesses that arise when authentication protocols are not carefully monitored.
Implications and outlook
WARP PANDA has been active since at least 2022 and is the only known adversary to use a combined BRICKSTORM, Junction, and GuestConduit toolkit. Analysts assess with moderate confidence that the group will continue to operate in the long term, backed by extensive resources and a mandate to gather strategic information.
The campaign highlights a key shift in the state of cyber operations: adversaries are targeting virtualization and cloud identity layers as primary entry points. As organizations rely more on hybrid infrastructure, defenders must assume that these components are high-value espionage targets.
CrowdStrike advises organizations to closely monitor ESXi and vCenter logs, restrict outbound access from hypervisors, enforce strong credential rotation, and deploy EDR tools on hosted VMs to detect tunneling behavior. The findings serve as a reminder that nation-state actors continue to rapidly evolve and exploit the core technologies that underpin modern enterprise networks.
Billions of Chrome users are getting a major security upgrade before the end of the year. Google has started rolling out Chrome 143, a December update that fixes 13 security flaws.