A new sophisticated threat actor has emerged in the cybersecurity landscape, targeting critical infrastructure across the United States.
The adversary, operating under the name WARP PANDA, has demonstrated remarkable technical capabilities in infiltrating VMware vCenter environments at legal, technology, and manufacturing organizations.
This group’s emergence marks a significant escalation in cloud-based cyberattacks, with particular focus on gaining long-term access to sensitive networks and data repositories.
The attack campaign reveals a deliberate and calculated approach, with evidence suggesting some intrusions dating back to late 2023.
WARP PANDA operates with advanced knowledge of cloud infrastructure and virtual machine environments, enabling the group to move seamlessly through complex network topologies.
The threat actors begin their operations by targeting internet-facing edge devices before pivoting to vCenter environments, exploiting known vulnerabilities or using compromised credentials to establish footholds within victim networks.
CrowdStrike security researchers identified and tracked this group after discovering multiple coordinated intrusions throughout 2025.
The researchers documented how WARP PANDA deployed three distinct tools: BRICKSTORM malware, JSP web shells, and two previously unknown implants named Junction and GuestConduit.
This comprehensive toolkit demonstrates the group’s commitment to maintaining persistent access while evading detection mechanisms within compromised environments.
Infection Mechanisms and Persistence Tactics
BRICKSTORM serves as the group’s primary backdoor, written in Golang and masquerading as legitimate vCenter processes such as updatermgr or vami-http.
The malware communicates with command-and-control servers using WebSocket connections encrypted with TLS, employing sophisticated obfuscation techniques to avoid network detection.
BRICKSTORM utilizes DNS-over-HTTPS for domain resolution and creates nested TLS channels, while leveraging public cloud services like Cloudflare Workers and Heroku for infrastructure hosting.
The persistence mechanisms employed by WARP PANDA showcase advanced operational security practices.
Vulnerabilities exploited by WARP PANDA:-
| Vulnerability ID | Affected Component | Description |
|---|---|---|
| CVE-2024-21887, CVE-2023-46805 | Ivanti Connect Secure VPN, Ivanti Policy Secure | Authentication bypass and remote command execution |
| CVE-2024-38812 | VMware vCenter | Heap-overflow in DCERPC protocol implementation |
| CVE-2023-46747 | F5 BIG-IP devices | Authentication bypass vulnerability |
| CVE-2023-34048 | VMware vCenter | Out-of-bounds write in DCERPC protocol; enables RCE |
| CVE-2021-22005 | VMware vCenter | Critical-severity vulnerability affecting vCenter servers |
The group uses SSH and the privileged vpxuser account for lateral movement, while employing log clearing and file timestomping to cover tracks.
They create unregistered malicious virtual machines that are shut down after use, and they tunnel traffic through compromised systems to blend malicious communications with legitimate network activity.
Junction and GuestConduit work together, with Junction listening on port 8090 to communicate with guest VMs through VM sockets, while GuestConduit facilitates network traffic tunneling within virtual machines.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
