A China-backed threat actor dubbed "WARP PANDA" targets VMware vCenter environments with the BRICKSTORM backdoor and other custom Go-based malware, CrowdStrike detailed in a report Thursday.WARP PANDA is believed to have been operating since at least 2022 and was identified by CrowdStrike as being responsible for several intrusions against U.S.-based organizations throughout 2025.The group is believed to be sponsored by the Chinese government to perform intelligence-collection operations, uses backdoors to maintain persistent access on compromised systems and has been observed exfiltrating data from affected environments.CrowdStrike’s report comes as the Cybersecurity and Infrastructure Security Agency (CISA) released an alert Thursday regarding ongoing BRICKSTORM campaigns by China-sponsored groups targeting against US entities, especially in the government and information technology sectors.
CISA also released a joint malware analysis report on the BRICKSTORM backdoor Thursday, with the National Security Agency (NSA) and Canadian Centre for Cyber Security, based on eight samples obtained from victim organizations.
CVEs targeted by WARP PANDA
WARP PANDA typically gains initial access through the exploitation of vulnerabilities in internet-exposed edge devices, including the chained authentication bypass and remote code execution (RCE) flaws CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Policy Secure, and the authentication bypass vulnerability CVE-2023-46747 in F5 BIG-IP devices.The attackers then use valid credentials or exploit VMware vCenter vulnerabilities to pivot to vCenter environments, including CVE-2021-22005, CVE-2023-34048 and CVE-2024-38812, according to CrowdStrike. Additional lateral movement is achieved by leveraging Secure Shell (SSH) protocol connections along with access to the privileged vCenter management account vpxuser.WARP PANDA was also observed to move laterally to cloud environments such as Microsoft Azure, through methods such as stealing user session tokens from browser files for session replay, and establish persistence by registering a new multi-factor authentication (MFA) device, as seen in at least one case described by CrowdStrike.
WARP PANDA’s malware toolkit
The main backdoor leveraged by WARP PANDA, BRICKSTORM, is a Go-based malware designed to establish stealthy persistence and communication with command-and-control (C2) infrastructure, and includes network tunneling and file management capabilities.BRICKSTORM hides by impersonating legitimate vCenter processes, including updatemgr and vami-http, and by obfuscating its C2 communications using methods such as DNS-over-HTTPS (DoH) to resolve C2 domains, using several nested Transport Layer Security (TLS) channels for its C2 sessions and leveraging legitimate public cloud services like Cloudflare Workers and Heroku for C2 infrastructure, CrowdStrike explains.In addition to BRICKSTORM, WARP PANDA also uses two other custom Go-based implants, dubbed "Junction" and "GuestConduit," that assist its operations.Junction acts as an HTTP server to listen for incoming C2 request and listens on port 8090, which is also used by the legitimate VMware service vvold. This implant can also execute commands, proxy network traffic and use VM sockets (VSOCK) to communicate with guest VMs, according to CrowdStrike.GuestConduit serves to facilitate communication between guest VMs and hypervisors and establishes a VSOCK listener on port 5555. It is also believed to work with Junction’s tunneling commands, parsing JSON-formatted requests for mirroring or forwarding of network traffic.Additional tactics, techniques and procedures (TTPs) used by WARP PANDA include the creation of malicious, unregistered VMs, tunneling of traffic through vCenter servers, guest VMs and ESXi hosts, and log clearing and file timestomping (timestamp manipulation) to avoid detection and complicate analysis.To protect themselves against WARP PANDA attacks, CrowdStrike recommends organizations that manage VMware vCenter environments monitor for unauthorized VM creation and unregistered VMs, audit for outbound connections to known BRICKSTORM-related infrastructure and other unexpected destinations, monitor SSH authentications, especially root and vpxuser authentications, and consider disabling SSH access to VMware ESXi hosts to prevent lateral movement in case of an intrusion. Additional recommendations from CrowdStrike include enabling ESXI’s execInstalledOnly enforcement to prevent unexpected code execution, deactivating shell access for the vpxuser on ESXi hosts, restricting outbound web access from vCenter and ESXi and monitoring nonstandard port use on ESXi servers such as the unexpected use of port 8090 and other optional service ports.
The attacker utilized a multi-stage in-memory malware chain, including a VBScript stager, a PowerShell loader, and Havoc's Demon agent, to gain initial access.
The attackers, identified as UNC6508, likely exploited older, vulnerable versions of REDCap to gain initial access, although the exact method remains undetermined.
