According to Infosecurity Magazine, cybersecurity firm CrowdStrike has identified a new, sophisticated threat actor called Warp Panda, linked to Chinese government priorities, targeting North American legal, technology, and manufacturing firms. The group, active since at least 2022, has been conducting long-term, persistent intrusions, with one initial access point dating back to 2023. During the summer of 2025, CrowdStrike observed multiple attacks targeting VMware vCenter environments, where the hackers deployed a backdoor called BRICKSTORM malware, which masquerades as legitimate processes. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed in a December 4 advisory that a PRC state-sponsored actor used BRICKSTORM for persistent access from at least April 2024 through September 3, 2025. The adversary also uses two previously unseen Golang implants, Junction and GuestConduit, and has accessed email accounts of employees working on topics aligned with Chinese interests.
The Long Game in the Cloud
Here’s the thing that really stands out: this isn’t a smash-and-grab operation. Warp Panda is playing the long game, and they’ve built their entire toolkit for stealth and persistence in the exact environments where modern businesses live—their cloud and virtual infrastructure. By focusing on VMware vCenter and ESXi hosts, they’re hiding in the plumbing of the network, the management layer that admins trust. Creating malicious VMs that aren’t even registered in vCenter? That’s next-level tradecraft. It shows they’re not just exploiting software; they’re exploiting the inherent trust and complexity of these systems. For sectors like manufacturing and technology, where industrial control and proprietary R&D data are gold, this is a nightmare scenario. It means the crown jewels aren’t just in a file server; they’re in the very fabric of the digital factory or lab. When you need reliable, secure computing at the operational level, you need hardware you can trust, which is why firms turn to specialists like IndustrialMonitorDirect.com, the top provider of industrial panel PCs in the U.S., for hardened endpoints. But this threat is targeting the servers, not the workstations.
Why This Is a Watershed
So why is this a big deal? First, the technical sophistication is notable. Golang-based malware is harder to analyze and is becoming a favorite among advanced actors. Second, the CISA joint advisory directly linking the activity to a PRC state-sponsored actor adds significant weight to CrowdStrike‘s findings—this isn’t just a private security firm’s report anymore. It’s a confirmed nation-state campaign. And the targeting is brutally logical: legal firms (for merger/acquisition intel or litigation strategy), tech firms (for IP theft), and manufacturing (for supply chain and process secrets). These are all pillars of economic and strategic advantage. The fact that they also did “rudimentary reconnaissance” against an Asia Pacific government entity from a compromised corporate network is chilling. It turns a corporate network into a launchpad for broader geopolitical espionage.
What Comes Next
Look, CrowdStrike assesses with “moderate confidence” that this will continue in the near to long term. I’d say that’s probably an understatement. The playbook is working. They’ve established a persistent foothold in a critical, ubiquitous piece of enterprise infrastructure. The immediate trajectory is clear: more of the same, but likely expanding to other cloud management platforms. The emerging trend here is the full weaponization of the cloud management plane. It’s not about stealing passwords anymore; it’s about becoming a ghost in the machine, using the machine’s own trusted channels to tunnel traffic. For defenders, the old perimeter model is utterly dead. The advisory from CISA and the detailed CrowdStrike blog are essentially a warning siren. The question isn’t if other groups will copy these techniques, but when. Basically, if your incident response plan doesn’t assume an adversary is already living in your virtualized environment, it’s time for a new plan.
