US Organizations Warned of Chinese Malware Used for Long-Term Persistence

A sophisticated China-linked threat actor tracked as Warp Panda has been targeting legal, manufacturing, and technology organizations in the US with BrickStorm and other malware families.

Focusing on maintaining long-term access to the compromised networks, the Warp Panda APT is exploiting edge devices for initial access, and moves laterally to VMware vCenter servers using valid credentials or known vulnerabilities.

The threat actor has been observed using SSH and the privileged vCenter account vpxuser for lateral movement, relying on Secure File Transfer Protocol (SFTP) for data transfer between hosts, and tunneling traffic through the BrickStorm malware.

Active since at least 2022, Warp Panda was also seen hiding its tracks by clearing logs, modifying file timestamps, and shutting down malicious VMs after use.

Additionally, it has used an ESXi-compatible version of 7-Zip to stage data for exfiltration, has relied on 7-Zip for extracting data from a non-ESXi Linux-based hypervisor, and has cloned ...