Threat Research

Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary

Crowdstrike

CrowdStrike tracked a China-nexus adversary dubbed WARP PANDA conducting persistent, stealthy intrusions against VMware vCenter and ESXi environments across U.S. legal, technology, and manufacturing organizations, deploying BRICKSTORM, JSP web shells, and two new Golang implants named Junction and GuestConduit. The actor exploited internet-facing edge device and vCenter vulnerabilities, tunneled traffic and exfiltrated staged data (including Microsoft 365 and SharePoint content), and maintained long-term access likely for PRC-aligned intelligence collection. #WARP_PANDA #BRICKSTORM

Keypoints

  • WARP PANDA targeted VMware vCenter and ESXi environments at U.S.-based legal, technology, and manufacturing entities, maintaining long-term persistent access across multiple intrusions.
  • The adversary deployed BRICKSTORM (Golang backdoor), JSP web shells, and two new implants for ESXi/guest VMs called Junction and GuestConduit.
  • Initial access commonly involved exploiting internet-facing edge devices (Ivanti, F5) or vCenter vulnerabilities and using valid credentials, including the privileged vpxuser account.
  • WARP PANDA used OPSEC-focused tradecraft—log clearing, timestomping, creating unregistered malicious VMs, tunneling via vCenter/ESXi/guest VMs, and masquerading implants as legitimate VMware services.
  • Data collection and exfiltration included cloning/domain-controller VM access, staging data from ESXi snapshots with 7‑Zip, and accessing Microsoft 365, OneDrive, SharePoint, and Exchange via session replay and API enumeration.
  • Command-and-control infrastructure leveraged WebSockets over TLS, DNS-over-HTTPS, nested TLS channels, and public cloud services (Cloudflare Workers, Heroku) for C2 hosting.
  • CrowdStrike recommends monitoring for unregistered VMs, restricting ESXi/vCenter outbound access, disabling unnecessary SSH/shell access (vpxuser), applying patches, enforcing MFA/federation, and deploying EDR on guest VMs.

MITRE Techniques

  • [T1583.001 ] Acquire Infrastructure: Domains – WARP PANDA uses Cloudflare DNS services to register C2 domains (‘WARP PANDA uses Cloudflare DNS services to register C2 domains’)
  • [T1583.003 ] Acquire Infrastructure: Virtual Private Server – WARP PANDA uses VPS hosting providers (‘WARP PANDA uses VPS hosting providers’)
  • [T1583.007 ] Acquire Infrastructure: Serverless – BRICKSTORM uses infrastructure hosted behind Cloudflare and has used Cloudflare Workers and Heroku for C2 communications (‘BRICKSTORM uses infrastructure hosted behind Cloudflare and has used Cloudflare Workers and Heroku for C2 communications’)
  • [T1584.008 ] Compromise Infrastructure: Network Devices – WARP PANDA targets internet-facing edge devices (‘WARP PANDA targets internet-facing edge devices’)
  • [T1588.001 ] Obtain Capabilities: Malware – WARP PANDA has access to BRICKSTORM, Junction, and GuestConduit (‘WARP PANDA has access to BRICKSTORM, Junction, and GuestConduit’)
  • [T1608.003 ] Stage Capabilities: Install Digital Certificate – WARP PANDA uses TLS certificates on C2 infrastructure (‘WARP PANDA uses TLS certificates on C2 infrastructure’)
  • [T1078.004 ] Valid Accounts: Cloud Accounts – WARP PANDA has gained access to Microsoft Azure environments, specifically targeting Office365 resources (‘WARP PANDA has gained access to Microsoft Azure environments, specifically targeting Office365 resources’)
  • [T1190 ] Exploit Public-Facing Application – WARP PANDA has exploited vulnerabilities in internet-facing edge devices to gain initial network access (‘WARP PANDA has exploited vulnerabilities in internet-facing edge devices to gain initial network access’)
  • [T1078.001 ] Valid Accounts: Default Accounts – WARP PANDA has leveraged the legitimate vpxuser account for privileged access to vCenter servers (‘WARP PANDA has leveraged the legitimate vpxuser account for privileged access to vCenter servers’)
  • [T1098.001 ] Account Manipulation: Additional Cloud Credentials – WARP PANDA has registered a new MFA device using an Authenticator app code (‘WARP PANDA has registered a new MFA device using an Authenticator app code’)
  • [T1505.003 ] Server Software Component: Web Shell – WARP PANDA has used web shells to maintain persistence (‘WARP PANDA has used web shells to maintain persistence’)
  • [T1036.004 ] Masquerading: Masquerade Task or Service – BRICKSTORM and Junction masquerade as legitimate VMware processes and services (‘BRICKSTORM and Junction masquerade as legitimate VMware processes and services’)
  • [T1070.004 ] Indicator Removal: File Deletion – WARP PANDA has deleted files to avoid detection (‘WARP PANDA has deleted files to avoid detection’)
  • [T1070.006 ] Indicator Removal: Timestomp – WARP PANDA has modified file timestamps to avoid detection and blend in with legitimate files (‘WARP PANDA has modified file timestamps to avoid detection and blend in with legitimate files’)
  • [T1564.006 ] Hide Artifacts: Run Virtual Instance – WARP PANDA has created malicious VMs within the VMware environment (‘WARP PANDA has created malicious VMs within the VMware environment’)
  • [T1083 ] File and Directory Discovery – Junction allows a connected client to browse and download files from the host machine (‘Junction allows a connected client to browse and download files from the host machine’)
  • [T1021.004 ] Remote Services: SSH – WARP PANDA has used SSH to move between vCenter servers and ESXi hosts (‘WARP PANDA has used SSH to move between vCenter servers and ESXi hosts’)
  • [T1550.001 ] Use Alternate Authentication Material: Application Access Token – WARP PANDA has moved laterally between different cloud services within the Azure environment (‘WARP PANDA has moved laterally between different cloud services within the Azure environment’)
  • [T1114.002 ] Email Collection: Remote Email Collection – WARP PANDA has gained access to mailboxes (‘WARP PANDA has gained access to mailboxes’)
  • [T1213 ] Data from Information Repositories – WARP PANDA has gained access to sensitive files (‘WARP PANDA has gained access to sensitive files’)
  • [T1213.002 ] Data from Information Repositories: SharePoint – WARP PANDA has used BRICKSTORM to access and download sensitive SharePoint files (‘WARP PANDA has used BRICKSTORM to access and download sensitive SharePoint files’)
  • [T1530 ] Data from Cloud Storage – WARP PANDA has accessed cloud environments to collect sensitive information (‘WARP PANDA has accessed cloud environments to collect sensitive information’)
  • [T1560.001 ] Archive Collected Data: Archive via Utility – WARP PANDA has used 7-Zip to compress data before exfiltration (‘WARP PANDA has used 7-Zip to compress data before exfiltration’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – BRICKSTORM uses WebSockets to communicate with C2 infrastructure over TLS (‘BRICKSTORM uses WebSockets to communicate with C2 infrastructure over TLS’)
  • [T1071.004 ] Application Layer Protocol: DNS – BRICKSTORM uses DNS-over-HTTPS to resolve C2 domains (‘BRICKSTORM uses DNS-over-HTTPS to resolve C2 domains’)
  • [T1090 ] Proxy – Junction allows a connected client to start a TCP or UDP proxy; GuestConduit allows traffic proxying from a host hypervisor to a different endpoint address (‘Junction allows a connected client to start a TCP or UDP proxy; GuestConduit allows traffic proxying from a host hypervisor to a different endpoint address’)
  • [T1090.003 ] Proxy: Multi-hop Proxy – WARP PANDA has used commercial VPN services (‘WARP PANDA has used commercial VPN services’)
  • [T1095 ] Non-Application Layer Protocol – Junction and GuestConduit can both communicate using VSOCK network connections (‘Junction and GuestConduit can both communicate using VSOCK network connections’)
  • [T1572 ] Protocol Tunneling – Junction can forward network traffic over a VSOCK connection to a listening virtual machine (VM) (‘Junction can forward network traffic over a VSOCK connection to a listening virtual machine (VM)’)
  • [T1573.002 ] Encrypted Channel: Asymmetric Cryptography – BRICKSTORM can communicate with C2 infrastructure via TLS (‘BRICKSTORM can communicate with C2 infrastructure via TLS’)
  • [T1041 ] Exfiltration Over C2 Channel – WARP PANDA has exfiltrated archived data to C2 infrastructure (‘WARP PANDA has exfiltrated archived data to C2 infrastructure’)

Indicators of Compromise

  • [SHA256 Hash ] Malware and implant samples – 40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042 (GuestConduit), 40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557 (BRICKSTORM), and 2 more hashes
  • [IP Address ] Infrastructure used by actor – 208.83.233.14, 149.28.120.31
  • [Process/Executable Names ] Masquerade indicators on vCenter/ESXi – updatemgr, vami-http (BRICKSTORM impersonation of legitimate vCenter processes)
  • [Ports ] Service/listener indicators – port 8090 (Junction listening, also used by vvold), port 5555 (GuestConduit VSOCK listener)
  • [Account Names ] Credential/use-of-account indicators – vpxuser (privileged vCenter-managed account observed in SSH activity)
  • [File Types / Artifacts ] Persistence and web shell indicators – JSP web shells deployed on vCenter servers

Read more: https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/