A highly sophisticated cyber-espionage campaign, WARP PANDA, has infiltrated major U.S. organizations using advanced techniques targeting virtualization infrastructure. The group demonstrates stealth, long-term persistence, and a focus on intelligence gathering aligned with Chinese strategic interests. #WARP_PANDA #BRICKSTORM
Keypoints
- WARP PANDA is a China-nexus threat actor targeting virtualization layers like VMware vCenter and ESXi hosts.
- The group uses a custom Golang backdoor called BRICKSTORM that mimics legitimate system processes for stealth.
- WARP PANDA deploys implants such as Junction and GuestConduit for persistent control over compromised environments.
- The campaign includes long-term covert operations, even creating invisible ghost virtual machines within networks.
- In late 2025, the adversary expanded into Microsoft Azure, exfiltrating data and conducting session replay attacks to gather intelligence.