Stop WARP PANDA: AI Defense for vCenter and Cloud

AI for Dental Practices: Modern Dentistry••By 3L3C

WARP PANDA targets VMware vCenter and cloud identity for stealthy persistence. Learn how AI-driven detection helps stop tunneling, token replay, and VM-layer attacks.

threat-intelligencevmware-securitycloud-securitymicrosoft-365-securityincident-responsesoc-automationnation-state-threats
Share:

Featured image for Stop WARP PANDA: AI Defense for vCenter and Cloud

Stop WARP PANDA: AI Defense for vCenter and Cloud

A lot of security teams still treat VMware and cloud identity as “infrastructure plumbing.” WARP PANDA proves that mindset is expensive.

CrowdStrike’s December 2025 reporting describes a China-nexus adversary targeting VMware vCenter and ESXi at U.S.-based legal, tech, and manufacturing organizations—then extending access into Microsoft 365 and Azure. The common thread isn’t a single exploit. It’s persistence, stealth, and operational maturity: tunneling through trusted management planes, blending into legitimate processes, and abusing session tokens and admin pathways that many defenders don’t watch closely.

This matters because most traditional controls are tuned for endpoints and “normal” malware. WARP PANDA’s playbook is different: it targets the platforms that manage your compute and identity, then uses that position to move quietly. If you’re serious about reducing breach risk in 2026, you need AI-driven threat detection and response that can connect weak signals across virtualization, identity, and network telemetry—fast.

What WARP PANDA tells us about modern cloud intrusions

WARP PANDA’s activity is a clean example of how advanced adversaries win: they don’t need noisy ransomware to cause real damage. They need time and invisibility.

The reporting highlights three themes you should treat as “design requirements” for your defenses.

The management plane is the new crown jewel

The attacker focus on vCenter servers and ESXi hosts is strategic. If an adversary can operate inside your virtualization management layer, they can:

  • Touch many workloads without deploying malware to each one
  • Create or manipulate VMs to run tools out of sight
  • Access snapshots and virtual disks that contain sensitive data
  • Use legitimate management accounts (like vpxuser) as cover

A memorable way to frame it: “If endpoints are rooms, vCenter is the master key rack.”

Stealth tactics are now “table stakes”

WARP PANDA demonstrates mature defense evasion, including:

  • Masquerading (implants that look like legitimate vCenter/ESXi services)
  • Log clearing and timestomping to break timelines
  • Malicious, unregistered VMs created for temporary operations and then shut down
  • Tunneling through trusted infrastructure so traffic looks routine

These aren’t exotic tricks anymore. They’re what well-resourced actors do when they plan to stay for months.

Identity and session tokens are a primary lateral movement path

The cloud portion of the activity is particularly relevant for organizations that believe “our M365 is safe because we have MFA.” The reporting notes:

  • Access into OneDrive, SharePoint, and Exchange
  • Use of user session tokens (potentially harvested from browser artifacts) and session replay
  • Registering a new MFA device to establish persistence
  • Enumeration via the Microsoft Graph API (apps, service principals, roles, users, emails)

The reality: MFA is necessary, not sufficient. If an attacker steals session tokens or manipulates MFA enrollment, they can operate like a valid user.

A quick walkthrough of the WARP PANDA toolchain (and why defenders miss it)

The tooling described isn’t scary because it’s fancy. It’s scary because it fits the environment.

BRICKSTORM: backdoor + tunneling that hides in plain sight

BRICKSTORM is described as a Golang backdoor that masquerades as legitimate vCenter processes (examples include updatemgr and vami-http) and supports tunneling and file management.

Two defensive pain points stand out:

  1. It blends into expected process names and host roles. Many teams don’t baseline “what should run on vCenter” at the process level.
  2. Its command-and-control methods are built to survive network scrutiny. The reporting describes WebSockets over TLS, DNS-over-HTTPS resolution, nested TLS channels, and use of public services for infrastructure.

If your detection strategy is “block known bad IPs,” this kind of traffic will slip through.

Junction + GuestConduit: ESXi and guest VM tunneling through VSOCK

The two newer implants are particularly instructive:

  • Junction: an ESXi implant that masquerades as a legitimate service by listening on port 8090 (associated with VMware vvold). It can execute commands, proxy traffic, and communicate with guest VMs via VM sockets (VSOCK).
  • GuestConduit: a guest-VM implant that sets up a VSOCK listener on port 5555, parsing JSON requests and forwarding traffic—likely to pair with Junction’s tunneling.

Here’s the operational insight: VSOCK traffic is a blind spot in many environments. Security teams often have mature monitoring for east-west network traffic, but far less visibility into hypervisor-to-guest communication paths.

Data theft from snapshots and cloned domain controllers

The reporting includes a practical, defender-relevant detail: the adversary staged data using 7-Zip compatible with ESXi and extracted content from thin-provisioned snapshots of live guest VMs. It also describes cloning domain controller VMs to attempt collection of sensitive Active Directory data.

That’s not just “exfiltration.” It’s surgical acquisition of high-value datasets.

Why AI-driven detection matters for threats like WARP PANDA

The key advantage of AI in cybersecurity isn’t buzzwords. It’s the ability to connect weak signals across systems that humans and rule sets don’t correlate well, especially when the attacker is quiet.

With threats like WARP PANDA, the “tell” is rarely one event. It’s a pattern:

  • A vCenter process name that’s “almost right”
  • A management account authenticating over SSH at an unusual time
  • Nonstandard ports on ESXi hosts that don’t match your baseline
  • Outbound traffic from systems that should almost never talk to the internet
  • A session replay pattern into Microsoft 365 that doesn’t match device history
  • A new MFA device registered shortly after suspicious access

AI-driven threat detection and response excels when you feed it good telemetry and let it score behavior, not just signatures.

What AI can do better than traditional rules

In practice, modern AI detection systems tend to outperform static rules in four areas that matter here:

  1. Baseline-building at scale: learning what “normal” looks like for vCenter, ESXi, and admin workflows.
  2. Anomaly correlation: tying together identity events, host telemetry, and network behavior into one incident narrative.
  3. Prioritization: reducing alert overload by grouping related activity and highlighting the highest-confidence paths.
  4. Faster response: recommending or triggering containment steps (with human approval) before the attacker finishes staging.

A stance I’ll defend: If your virtualization layer isn’t covered by behavior-based detection and response, you’re operating on hope.

The “management plane attack” detection checklist

If you want to pressure-test your program against WARP PANDA-style activity, start with these questions:

  • Do we collect and retain ESXi and vCenter logs centrally (not just locally on the hosts)?
  • Can we alert on unsanctioned VM creation, especially unregistered VMs?
  • Do we have detections for SSH authentications to ESXi, especially root and vpxuser?
  • Is there an enforced baseline for ESXi listening ports, with alerting on deviations (including 8090)?
  • Is outbound internet access from vCenter/ESXi restricted and monitored?
  • Do we detect token replay or abnormal session patterns into Microsoft 365?
  • Can we alert on MFA device enrollment events and tie them to suspicious sign-ins?

If several of these are “no,” AI won’t magically fix it—but it will help you make better use of the data once you collect it.

Practical defenses you can implement in the next 30 days

You don’t need a multi-quarter transformation to raise the bar. You need focused moves that reduce attacker options.

Harden VMware and reduce stealth opportunities

Start with controls that directly break the tradecraft described:

  • Restrict and monitor SSH on ESXi (and disable it where feasible)
  • Investigate any SSH use of vpxuser as high priority
  • Forward vSphere syslog to an external platform and retain it long enough for investigations
  • Restrict outbound internet access from ESXi and vCenter (explicit allowlists beat broad egress)
  • Enforce least privilege for daily vSphere administration with separate admin accounts
  • Turn on ESXi execInstalledOnly where operationally possible
  • Apply strict segmentation and firewall rules around ESXi management interfaces

One simple rule I like: management planes shouldn’t browse the internet. If they can, attackers will make them.

Watch for the attacker’s “operational footprints”

WARP PANDA’s methods leave traces you can hunt for:

  • Unregistered VMs that appear and disappear
  • Staging directories containing large archives (e.g., 7-Zip artifacts) on hypervisors or jump hosts
  • Unexpected outbound connections from vCenter/ESXi to unfamiliar destinations
  • Long-lived TLS/WebSocket connections originating from infrastructure that normally has short admin sessions

AI-assisted hunting helps here because it can cluster related artifacts across hosts—especially useful when logs are imperfect.

Close the cloud identity persistence gaps

On the Microsoft 365/Azure side, focus on identity hardening that stops token and MFA abuse:

  • Alert on new MFA device registration, especially when preceded by risky sign-ins
  • Enforce phishing-resistant MFA for admins and high-risk roles where possible
  • Tighten controls around browser session artifacts on admin workstations (since token theft often starts there)
  • Monitor Graph API usage for unusual enumeration patterns (apps, service principals, directory roles)
  • Require conditional access that considers device health and sign-in risk, not just passwords

A strong stance: MFA enrollment is a privileged action. Treat it like one.

How to brief leadership without turning it into a fear pitch

If you need budget or buy-in (and this campaign is about leads, so you probably do), skip the doom-and-gloom. Use a simple narrative:

  • What changed: adversaries are targeting virtualization and cloud management layers for quiet, long-term access.
  • Why it matters: compromise there scales across many systems and can expose sensitive data without noisy malware.
  • What we’re doing: improving visibility, restricting management plane behavior, and adopting AI-driven detection to connect signals across VMware and cloud identity.

The executive-friendly line that tends to land: “We’re reducing the probability of a long-dwell breach by shrinking blind spots in the management plane.”

Next steps: build an AI-ready defense for VMware and cloud

WARP PANDA isn’t just another threat actor name to file away. It’s a reminder that virtualization and cloud identity are now primary battlegrounds—and they’re full of low-noise signals that humans and static rules struggle to stitch together.

If you take one action this quarter, make it this: treat vCenter/ESXi and cloud identity telemetry as first-class security data, then use AI-driven threat detection and response to correlate behavior across them.

Where do you think your biggest blind spot is right now—the hypervisor layer, the identity layer, or the gap between them?