GuestConduit
GuestConduit is a previously unobserved Golang-based network traffic–tunneling implant used in VMware virtualized environments. According to CrowdStrike reporting cited in the content, it runs inside a guest VM and establishes a VSOCK listener on port 5555 to facilitate guest-to-hypervisor communication and traffic tunneling. The content further states that it parses JSON-formatted requests to mirror or forward traffic and likely operates in conjunction with the Junction implant, which resides on ESXi hosts and communicates with guest VMs via VSOCK.
GuestConduit has been associated with the China-nexus threat actor WARP PANDA. CrowdStrike reported the actor deploying JSP web shells, the BRICKSTORM malware family, and the previously unknown Junction and GuestConduit implants during intrusions targeting VMware vCenter, ESXi hosts, and guest VMs. The reported victimology includes U.S.-based legal, technology, and manufacturing organizations, and the operations were assessed as focused on stealthy, long-term persistence and intelligence collection aligned with PRC strategic interests. The content states that WARP PANDA commonly gained initial access by exploiting internet-facing edge devices, then pivoted into vCenter environments using valid credentials or vCenter vulnerability exploitation, with lateral movement via SSH and the privileged vpxuser account.
High-confidence behavioral details in the content are limited but consistent: GuestConduit is Golang-based, resides in guest VMs, listens on VSOCK port 5555, and functions as a tunneling implant for forwarding traffic within VMware ESXi ecosystems. No additional standalone IOCs beyond the VSOCK listener on port 5555 are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CrowdStrike observed the same threat group deploying previously unknown Junction and GuestConduit malware implants in VMware ESXi environments.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
2 techniques“deploying JSP web shells and BRICKSTORM on VMware vCenter servers”
Privilege Escalation
1 techniqueRecent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Previously unobserved Golang-based implant deployed in PRC-nexus intrusions, positioned on guest VMs for covert, persistent access.
A previously undocumented network traffic–tunneling implant deployed inside a guest VM; it establishes a VSOCK listener (port 5555) to facilitate communications between guest VMs and hypervisors.
GuestConduit is a newly identified Golang-based implant used by WARP PANDA to maintain persistent access and facilitate espionage within virtualized and cloud environments. It is deployed alongside other tools to enable stealthy operations and data exfiltration.
GuestConduit is a Go-based implant deployed on guest VMs by Chinese threat actors to maintain persistence and facilitate data exfiltration in targeted VMware environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.