WARP PANDA

Warp Panda is a China-nexus / PRC-aligned cyber espionage threat actor tracked by CrowdStrike, also referred to in the provided content as Clay Typhoon and Storm-2416. CrowdStrike describes it as a newly identified, highly technically sophisticated adversary focused on stealthy, long-term covert access, with activity targeting U.S.-based entities including legal, technology, and manufacturing organizations, and with reporting also linking BRICKSTORM activity against U.S. entities more broadly. The content states its operations are likely aligned with the strategic interests of the People’s Republic of China. Warp Panda is strongly associated with intrusions into VMware vCenter and ESXi environments. Reported tradecraft includes deployment of JSP web shells and the BRICKSTORM Golang backdoor on VMware vCenter servers, as well as use of two additional Golang implants, Junction on ESXi hosts and GuestConduit on guest VMs. BRICKSTORM is described as supporting long-term persistence, tunneling, and file management, and as using TLS over WebSockets, DNS-over-HTTPS, nested TLS channels, and public cloud services to obfuscate command-and-control. The actor has also been reported targeting Azure cloud environments. According to the content, Warp Panda commonly gains initial access by exploiting internet-facing edge devices, then pivots into vCenter using valid credentials or vCenter vulnerability exploitation. It has used SSH, SFTP, and the built-in privileged VMware vpxuser account for persistence, privileged access, and lateral movement. Additional stealth and anti-forensic behavior described in the content includes log clearing, file timestomping, creation of malicious unregistered VMs, and tunneling traffic through vCenter servers, ESXi hosts, and guest VMs to blend with legitimate activity. The content also attributes data theft and intelligence collection activity to Warp Panda. Reported objectives and actions include staging data for exfiltration, extracting data from VM snapshots, cloning domain controller VMs to obtain sensitive Active Directory data, and accessing employee email accounts related to topics aligned with Chinese government interests. One report also notes rudimentary reconnaissance against an Asia Pacific government entity from a compromised network. The content links Warp Panda to BRICKSTORM malware attacks throughout 2025 and notes that it was one of at least three China-nexus actors reported to have exploited CVE-2023-34048. Some provided reporting also states CrowdStrike linked Warp Panda to the same activity cluster Google tracked as UNC5221, while other content distinguishes Warp Panda as a separate China-aligned adversary also associated with BRICKSTORM. Because the provided content is not fully consistent on that relationship, only the direct aliases explicitly given for Warp Panda are included here: Clay Typhoon and Storm-2416.