A China-nexus threat actor hacked into VMware vCenter environments at U.S.-based companies before deploying Brickstorm malware, security firm CrowdStrike warned in a blog post published Thursday.
The threat actor, tracked under the name Warp Panda, targeted multiple industries during the summer of 2025, including legal, technology and manufacturing firms.
In addition to the Brickstorm malware deployment, the hackers also deployed JSP web shells and two Golang-based implants, tracked as Junction and Guest Conduit, targeting VMware ESXi hypervisor environments.
The hackers exploited internet-facing edge devices for initial access, before pivoting to vCenter environments using valid credentials or exploiting vulnerabilities in vCenter.
Warp Panda has focused on maintaining long-term, persistent access during these attacks. In one incident, hackers gained initial access in 2023.
The alert coincided with an advisory from the Cybersecurity and Infrastructure Security Agency and the National Security Agency on Wednesday, warning about state-supported hackers using Brickstorm malware to target VMware vSphere platforms at government services and information technology providers.
CISA, the NSA and the Canadian Cyber Security Centre warned that hackers are stealing cloned virtual machine snapshots to extract credentials and create hidden, rogue virtual machines.
CISA has collected eight malware samples from targeted organizations. In one case, the organizations learned that hackers remained inside a network from April 2024 through September 2025.
In September, researchers at Google Threat Intelligence Group warned of state-linked hackers deploying Brickstorm malware in supply chain attacks against technology firms and SaaS providers.
GTIG said state-linked actors are evolving their use of Brickstorm in continued attacks targeting U.S. organizations.
“This campaign highlights a broader trend of China-nexus actors targeting devices like network appliances, which often lack sufficient security monitoring,” Austin Larsen, principal threat analyst at GTIG, told Cybersecurity Dive via email. “The goal of this long-running campaign is to steal sensitive data from U.S.-based organizations for strategic advantage.”