Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Warp Panda North American legal, technology and manufacturing espionage campaign

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

Warp Panda is running a sophisticated cyber-espionage campaign against North American legal, technology and manufacturing firms, maintaining persistent covert access that supports intelligence collection tied to PRC interests. The operation has been active since at least 2022 and was observed again in summer 2025 targeting VMware vCenter environments. The group’s tooling and access patterns indicate a long-term espionage program rather than isolated intrusion activity.

Related Happenings

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
First: 18.02.2026 12:32 Last: 18.02.2026 12:32 Sources 1

About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...

Open Happening

Pro-Russia hacktivist OT intrusion campaign against US critical infrastructure

Campaign
First: 10.12.2025 18:00 Last: 10.12.2025 18:00 Sources 1

About this happening: A coordinated **pro-Russia hacktivist** campaign is exploiting exposed **virtual network computing** connections and weak passwords to breach **operational technology (OT)** syste...

Open Happening

Warp Panda Brickstorm VMware vCenter targeting campaign

Campaign
First: 04.12.2025 20:19 Last: 04.12.2025 20:19 Sources 1

About this happening: A **Warp Panda** targeting campaign using **Brickstorm** reached **VMware vCenter** servers on the networks of **U.S. legal, technology, and manufacturing companies** throughout *...

Open Happening

BRICKSTORM backdoor persistent-access activity against VMware vCenter and Windows environments

Malware Activity
First: 04.12.2025 14:00 Last: 04.12.2025 14:00 Sources 1

About this happening: **BRICKSTORM** is being used by **PRC state-sponsored actors** for **persistent access** in **Government** and **Information Technology** organizations, increasing the risk of ste...

Open Happening

TWOSTROKE and DEEPROOT backdoor deployment in Middle East attacks

Malware Activity
First: 18.11.2025 14:54 Last: 18.11.2025 14:54 Sources 1

About this happening: The deployment of **TWOSTROKE** and **DEEPROOT** gave attackers persistent backdoor access for **reconnaissance**, **command execution**, and **data theft** against targeted organ...

Open Happening

Timeline

  1. 05.12.2025 02:00 2 articles · 5mo ago

    CrowdStrike discloses Warp Panda espionage campaign

    Initial Disclosure

    CrowdStrike identifies Warp Panda as a sophisticated cyber-espionage campaign targeting North American legal, technology and manufacturing firms, says the group has been active since at least 2022, and links summer 2025 activity to multiple VMware vCenter intrusions, BRICKSTORM, Junction and GuestConduit.

    Show sources
    Open in new tab
  2. 04.12.2025 02:00 1 articles · 5mo ago

    BRICKSTORM persistence window extends through September 3, 2025

    Campaign Scope Update

    CISA analysis shows BRICKSTORM provided persistent access on victim systems from at least April 2024 through at least September 3, 2025, marking the end of a long-running persistence window tied to the campaign.

    Show sources
    Open in new tab
  3. 04.12.2025 02:00 1 articles · 5mo ago

    CISA advisory confirms BRICKSTORM long-term persistence

    Detection Ioc Update

    CISA publishes a joint advisory confirming a PRC state-sponsored cyber actor is using BRICKSTORM for long-term persistence on victim systems and noting that VMware vSphere platforms have been targeted.

    Show sources
    Open in new tab