CrowdStrike has publicly identified a previously unreported China-nexus cyberespionage group, dubbed WARP PANDA, responsible for a series of sophisticated intrusions targeting U.S. legal, technology and manufacturing organisations throughout 2025.
The threat actor, which CrowdStrike assesses as aligned with Chinese state interests, has been active in recent months and is emblematic of a widening shift in PRC-linked operations toward hybrid-cloud exploitation and long-term covert access.
According to CrowdStrike, WARP PANDA focuses on securing persistent footholds across Microsoft 365, Azure and VMware vCenter environments in order to access high-value data. The activity highlights the increasing strategic importance of cloud platforms to espionage campaigns.
Investigators report that WARP PANDA deploys three custom malware implants — BRICKSTORM, Junction and GuestConduit — and uses sophisticated operational security techniques to remain undetected for extended periods.
The group’s targeting of VMware vCenter is of particular concern, with CrowdStrike noting that control over these environments can provide broad access to critical infrastructure and workloads.
CrowdStrike believes WARP PANDA is likely to continue operations in the near term.
