Warp Panda Brickstorm VMware vCenter targeting campaign
Campaign
Summary
Hide ▲
Show ▼
A Warp Panda targeting campaign using Brickstorm reached VMware vCenter servers on the networks of U.S. legal, technology, and manufacturing companies throughout 2025, showing sustained pressure on virtualization infrastructure. The activity was tied to a Chinese hacking group and involved repeated attacks against enterprise VMware environments. The operation matters because access to vCenter can enable stealthy persistence, credential theft, and deeper compromise across affected networks.
Related Happenings
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware Activity
First: 18.02.2026 12:32
Last: 18.02.2026 12:32
Sources 1
About this happening:
**BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware ActivityAbout this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
Campaign
First: 17.02.2026 22:15
Last: 17.02.2026 22:15
Sources 1
About this happening:
The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
CampaignAbout this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...
Latest development: 19.02.2026 17:30
CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.
VMware ESXi arbitrary-write sandbox escape (CVE-2025-22225)
Vulnerability
First: 04.02.2026 19:38
Last: 04.02.2026 19:38
Sources 1
About this happening:
**CVE-2025-22225** is now confirmed in **ransomware campaigns**, making the **VMware ESXi** sandbox-escape flaw an active risk for exposed virtualization hosts. **Broadcom** patch...
VMware ESXi arbitrary-write sandbox escape (CVE-2025-22225)
VulnerabilityAbout this happening: **CVE-2025-22225** is now confirmed in **ransomware campaigns**, making the **VMware ESXi** sandbox-escape flaw an active risk for exposed virtualization hosts. **Broadcom** patch...
BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse
Malware Activity
First: 20.01.2026 20:41
Last: 20.01.2026 20:41
Sources 1
About this happening:
**North Korean** threat actors tied to **Contagious Interview** are using **malicious Visual Studio Code (VS Code) tasks** and injected code in **compromised developer repositorie...
BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse
Malware ActivityAbout this happening: **North Korean** threat actors tied to **Contagious Interview** are using **malicious Visual Studio Code (VS Code) tasks** and injected code in **compromised developer repositorie...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, is turning the Contagious Interview fake-job lure into a self-propagating software supply-chain infection that abuses compromised developer repositories, malicious VS Code tasks, and injected code to spread malware and steal credentials. The campaign targets developers seeking work, can hide a poisoned .vscode folder in committed code, and Trend Micro said it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 commit-tampering instances in March.
VMware ESXi exploit toolkit analysis with YARA/Sigma detections
Technical Analysis
First: 08.01.2026 23:27
Last: 08.01.2026 23:27
Sources 1
About this happening:
Huntress analyzed a **December 2025** **VMware ESXi exploit toolkit** that likely enabled **guest-to-hypervisor escape** and **post-exploitation** on **ESXi hosts**. The chain was...
VMware ESXi exploit toolkit analysis with YARA/Sigma detections
Technical AnalysisAbout this happening: Huntress analyzed a **December 2025** **VMware ESXi exploit toolkit** that likely enabled **guest-to-hypervisor escape** and **post-exploitation** on **ESXi hosts**. The chain was...
Timeline
-
04.12.2025 20:19 2 articles · 5mo ago
Warp Panda Brickstorm VMware vCenter targeting campaign
Initial DisclosureThe operation first centered on **Brickstorm** access to **VMware vCenter** and **vSphere** environments inside victim networks. Attackers then used those footholds to support stealthy persistence and credential theft before the 2025 targeting thread was linked to **Warp Panda**.
Show sources
- CISA warns of Chinese "BrickStorm" malware attacks on VMware servers — www.bleepingcomputer.com — 04.12.2025 20:19
- CISA warns of Chinese "BrickStorm" malware attacks on VMware servers — www.bleepingcomputer.com — 04.12.2025 20:19