Date: 12/08/2025
Severity: High
Summary
WARP PANDA is a newly identified, highly advanced China-nexus threat actor targeting VMware vCenter and ESXi environments across U.S. organizations in 2025. The group demonstrates strong technical skill, exceptional OPSEC, and deep expertise in cloud and virtualized systems. During intrusions, they deployed BRICKSTORM malware, JSP web shells, and two new ESXi implants — Junction and GuestConduit. Their tactics prioritize stealth and long-term persistence, indicating a clear focus on intelligence gathering aligned with PRC strategic objectives.
Indicators of Compromise (IOC) List
IP Address | 208.83.233.14 149.28.120.31 |
Hash | 40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042
88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed
9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806
40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("149.28.120.31","208.83.233.14") or srcipaddress IN ("149.28.120.31","208.83.233.14") |
Detection Query 2 : | sha256hash IN ("40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042","88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed","9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806","40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557")
|
Reference:
https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/