A China-nexus threat actor hacked into VMware vCenter environments at U.S.-based companies before deploying Brickstorm malware, security firm CrowdStrike warned in a blog post published Thursday.

The threat actor, tracked under the name Warp Panda, targeted multiple industries during the summer of 2025, including legal, technology and manufacturing firms. 

Warp Panda has targeted entities mainly in North America and Asia Pacific in an effort to support strategic objectives of the Chinese Communist Party, according to CrowdStrike. These include economic competition, advancing their technology and growing regional influence. 

“We’ve observed them access information related to topics aligned with Chinese government interests, sensitive data related to network-engineering and incident-response teams,” Adam Meyers, head of counter adversary operations at CrowdStrike told Cybersecurity Dive. “The data they have accessed provides insight into proprietary technology, sensitive negotiation information, operations, and potentially how companies work with government partners.”

In addition to the Brickstorm malware deployment, the hackers also deployed JSP web shells and two Golang-based implants, tracked as Junction and Guest Conduit, targeting VMware ESXi hypervisor environments. 

The hackers exploited internet-facing edge devices for initial access, before pivoting to vCenter environments using valid credentials or exploiting vulnerabilities in vCenter.

Officials at Broadcom acknowledged the threat warnings. 

“We are aware of reports that cyber threat actors have used the Brickstorm malware within VMware installations after obtaining access to customer environments,” a spokesperson told Cybersecurity Dive via email. 

Officials at Broadcom said customers should apply patches across all infrastructure, including VMware software and take recommended steps to secure vSphere environments

Warp Panda has focused on maintaining long-term, persistent access during these attacks. In one incident, hackers gained initial access in 2023.

The alert coincided with an advisory from the Cybersecurity and Infrastructure Security Agency and the National Security Agency on Wednesday, warning about state-supported hackers using Brickstorm malware to target VMware vSphere platforms at government services and information technology providers.

CISA, the NSA and the Canadian Cyber Security Centre warned that hackers are stealing cloned virtual machine snapshots to extract credentials and create hidden, rogue virtual machines. 

CISA has collected eight malware samples from targeted organizations. In one case, the organizations learned that hackers remained inside a network from April 2024 through September 2025. 

In September, researchers at Google Threat Intelligence Group warned of state-linked hackers deploying Brickstorm malware in supply chain attacks against technology firms and SaaS providers.

GTIG said state-linked actors are evolving their use of Brickstorm in continued attacks targeting U.S. organizations. 

“This campaign highlights a broader trend of China-nexus actors targeting devices like network appliances, which often lack sufficient security monitoring,” Austin Larsen, principal threat analyst at GTIG, told Cybersecurity Dive via email. “The goal of this long-running campaign is to steal sensitive data from U.S.-based organizations for strategic advantage.”

Editor’s note: Updates story with comment from CrowdStrike and Broadcom.