China's WARP PANDA APT Deploys BRICKSTORM Backdoor to Hijack VMware vCenter/ESXi and Azure Cloud

A sophisticated cyber-espionage campaign has been uncovered deep within the virtualization layers of major U.S. organizations. Throughout 2025, CrowdStrike researchers have tracked a relentless series of intrusions targeting legal, technology, and manufacturing sectors, orchestrated by a newly identified China-nexus adversary known as WARP PANDA.

The group distinguishes itself not just by who they target, but by how they manipulate the very fabric of modern IT infrastructure: VMware vCenter servers and ESXi hosts. According to the report, “WARP PANDA exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments”.

At the heart of WARP PANDA’s operations is a custom-built toolkit designed for invisibility. The crown jewel is BRICKSTORM, a Golang-based backdoor that hides in plain sight.

“BRICKSTORM is a backdoor written in Golang that frequently masquerades as legitimate vCenter processes, such as updatemgr or vami-http,” the report states. By mimicking essential system updates, the malware establishes a stealthy foothold, using advanced techniques like DNS-over-HTTPS (DoH) and nested TLS channels to hide its communications with command-and-control servers.

But the toolkit goes deeper. To dominate the virtual environment, WARP PANDA deploys two additional implants:

Junction: An implant for ESXi servers that listens on port 8090—mimicking the legitimate vvold service—to proxy network traffic.
GuestConduit: A tool installed directly inside guest VMs to tunnel traffic back to the hypervisor.

WARP PANDA is playing the long game. In some documented cases, the adversary gained initial access as early as late 2023, maintaining a silent presence for over a year.

Their methods for persistence are chillingly effective. Beyond standard web shells, they have been observed creating malicious virtual machines that are unregistered in the vCenter server—ghost machines that exist on the network but remain invisible to standard management tools.

“WARP PANDA demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks,” the report warns.

The group’s ambitions extend beyond on-premise servers. In late summer 2025, WARP PANDA demonstrated “cloud-conscious” capabilities, pivoting from compromised networks into Microsoft Azure environments.

By exfiltrating browser files to steal user session tokens, the attackers conducted session replay attacks to bypass authentication. “In one instance, the adversary obtained user session tokens likely by exfiltrating user browser files – and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via session replay”.

This access allowed them to loot sensitive data from OneDrive, SharePoint, and Exchange, specifically hunting for network engineering documents and incident response plans.

The targeting logic suggests a state-sponsored agenda rather than financial crime. The attackers have shown a specific interest in the email accounts of employees working on topics relevant to the Chinese government.

“Their operations are likely motivated by intelligence-collection requirements aligned with the strategic interests of the People’s Republic of China (PRC)”.

As organizations race to patch vulnerabilities in edge devices like Ivanti and F5—common entry points for this group—WARP PANDA remains a formidable threat, likely to continue its intelligence-gathering operations well into the future.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply