WARP PANDA shows how AI-era intrusions abuse cloud identities

At a glance

What this is: This is an analysis of WARP PANDA's intrusion tradecraft, showing how compromised credentials, vCenter access, and cloud session replay enabled persistent access across virtualised and SaaS environments.

Why it matters: For IAM and NHI practitioners, it shows that privileged service accounts, user sessions, and MFA enrolment paths can all become persistence mechanisms when identity controls are not tightly scoped.

By the numbers:

• In one of the intrusions, gaining initial access occurred in late 2023 and persisted into summer 2025.
• CVE-2024-21887
• CrowdStrike said WARP PANDA has been active since at least 2022 and targeted entities across North America.

👉 Read CrowdStrike's analysis of WARP PANDA and identity abuse in cloud environments

Context

WARP PANDA is a useful case study because the core problem is not just intrusion, it is identity misuse across infrastructure and cloud layers. When valid credentials, session tokens, and privileged management accounts are available, attackers can blend into normal administration and keep access long after the initial compromise. For NHI governance, the lesson is that machine and human identities can be abused in the same operational path.

The article focuses on a threat actor that moved from internet-facing edge devices into virtualisation and cloud services, then used those footholds to stage data, maintain persistence, and widen access. That is not an isolated pattern; it is increasingly typical of modern intrusion chains where identity, not malware alone, determines how far the attacker can go.

Key questions

Q: How should security teams govern privileged non-human identities in virtualisation environments?

A: Security teams should treat virtualisation management accounts as high-risk non-human identities with separate ownership, scoped permissions, and continuous review. Access should be limited to the smallest set of hosts and workflows, with alerting on SSH, snapshot access, and any action that bypasses the normal management path. The goal is to reduce the blast radius of one compromised admin credential.

Q: Why do session tokens create risk even when passwords are unchanged?

A: Session tokens can preserve authenticated access after the original password is changed, which means the attacker may remain active until the token expires or is revoked. This is why token lifetime, revocation, and anomaly detection matter. Organisations should treat token theft as a persistence event, not a low-grade authentication issue.

Q: What is the difference between least privilege for users and least privilege for NHIs?

A: User least privilege focuses on human tasks and interactive workflows, while NHI least privilege must account for automation, APIs, and machine-to-machine reach. Non-human identities often have broader and longer-lived access, so the control objective is not just fewer permissions. It is tighter scope, shorter duration, and stronger monitoring of what each identity can actually do.

Q: When should organisations treat MFA enrolment as a security incident?

A: Organisations should treat unexpected MFA enrolment, device registration, or authenticator changes as a security incident when the event is not part of a planned access change. Those actions can be used to establish persistence after initial compromise. The response should include revocation, session review, and confirmation that no recovery path was abused.

Technical breakdown

How valid credentials become a control-plane foothold

In this intrusion pattern, the attacker does not need to break every layer. Once an edge device, vCenter account, or cloud token is available, the adversary can use legitimate authentication to operate inside trusted workflows. That matters because vCenter, Azure, and Microsoft 365 all expose administrative APIs and session-based access paths that can look normal unless defenders correlate identity, device, and action context. The risk is compounded when privileged accounts such as management service identities are reusable across environments or are not tightly monitored for unusual transport methods like SSH or session replay.

Practical implication: Monitor privileged identity use for context mismatch, not just failed logins.

Why session tokens and MFA enrolment are persistence mechanisms

Session tokens can survive password resets and let an attacker act as an already authenticated user until the token expires or is revoked. In the case described, the adversary also registered a new MFA device, which is a form of account manipulation that can outlast the initial access vector if governance is weak. For IAM teams, this means authentication state, device registration, and recovery workflows are part of the attack surface. If those paths are not protected by step-up checks and alerting, the attacker can rebuild access after disruption.

Practical implication: Treat token theft and MFA enrolment as high-risk identity events, not routine user activity.

How virtualisation layers amplify identity blast radius

Virtualisation management planes are powerful because they sit above many workloads and can expose snapshots, guest VMs, and host-level control. The article shows how access to vCenter enabled actions such as lateral movement, file staging, and interaction with guest environments. In practice, this turns one management identity into a multiplier for access scope. NHI governance has to account for the blast radius of management accounts, service credentials, and automation identities that can reach both infrastructure and data planes.

Practical implication: Scope virtualisation and cloud admin identities separately and review their downstream reach regularly.

Threat narrative

Attacker objective: The objective was durable, covert access for intelligence collection across virtualised infrastructure and cloud data stores.

1. Entry occurred through internet-facing edge devices and vCenter environments, where the attacker used exploit chains or valid credentials to gain trusted access.
2. Escalation followed through privileged management accounts, session tokens, SSH movement, and MFA device registration that extended persistence across cloud and virtualisation layers.
3. Impact came from covert access to VMware and Microsoft 365 data, including staging files, accessing mailboxes, and maintaining long-term intelligence collection access.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity blast radius is the real unit of risk in modern intrusion chains. WARP PANDA did not need to own every system equally. It needed enough identity leverage to move from edge exposure into vCenter, then into cloud collaboration data and mailboxes. That is the governance problem practitioners should recognise: a single management identity can create a much larger operational footprint than its label suggests. The practical conclusion is to measure and limit downstream reach, not just assign ownership.

Session security now sits inside NHI governance, not beside it. When attackers use session replay, stolen tokens, or MFA enrolment to sustain access, the boundary between human identity control and non-human access control disappears. This is especially relevant where automation, admin consoles, and cloud services reuse session-based trust. Organisations that treat token lifetimes, device registration, and recovery flows as secondary controls are leaving the persistence layer open. The practitioner takeaway is to govern sessions as first-class identities.

Virtualisation management accounts should be treated as high-value non-human identities. vCenter and ESXi management identities can touch hosts, guests, snapshots, and data movement paths. That makes them structurally more sensitive than ordinary service accounts, even when their purpose is narrow. The case shows that attackers seek these accounts because they multiply access without immediately triggering standard endpoint signals. The implication for defenders is to bring management-plane identities into the same least-privilege and review discipline applied to other privileged NHIs.

Persistent access is now built from legitimate workflows, not just malware. The intrusion chain combined exploitation, valid credentials, administrative tools, and cloud APIs. That combination matters because modern detection cannot depend on malware signatures alone. Identity governance, API monitoring, and admin workflow baselining must work together. Practitioners should assume the adversary will prefer the cleanest path through approved mechanisms and design controls that detect misuse within those mechanisms.

From our research:

• Organisations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For a practical control baseline, compare that readiness gap with the NHI Lifecycle Management Guide and tighten lifecycle controls before autonomy expands further.

What this signals

Identity-led threat detection needs to move closer to the management plane. WARP PANDA's tradecraft shows that persistence often rides on legitimate admin paths, token use, and device registration rather than obvious malware execution. For most programmes, that means cloud audit logs, MFA enrolment events, and privileged session telemetry need to be correlated as a single identity story, not separate alerts.

Ephemeral access only helps when revocation is real. If sessions, tokens, and recovery pathways remain active after a compromise is suspected, the attacker can outlive the initial response. Organisations should align identity governance with Zero Standing Privilege and session-control practices so that each access grant is short, observable, and removable without relying on password changes alone.

The governance gap widens as infrastructure becomes more autonomous. With 70% of organisations granting AI systems more access than human employees in the 2026 Infrastructure Identity Survey, the same over-permissioning pattern that helps attackers survive in cloud and virtualisation environments will also weaken agentic AI controls unless teams separate human, service, and agent authority more aggressively.

For practitioners

• Inventory management-plane identities Map every account that can administer vCenter, ESXi, cloud tenants, and collaboration platforms. Separate human admin identities from service and automation identities, and record which systems each one can reach.
• Harden session and token controls Shorten token lifetimes where business use allows it, revoke sessions on risk events, and alert on replay-like behaviour such as access from new locations or unusual user agents.
• Protect MFA enrolment paths Require step-up verification for new device registration, recovery changes, and authenticator code-based enrolment. Treat those events as persistence attempts until proven otherwise.
• Review privileged cloud API access Audit Graph, Azure, and other administrative API use for enumeration, mailbox access, and directory role discovery. Restrict who can query high-value metadata and log every administrative action.
• Add identity-led detection to virtualisation monitoring Correlate SSH to vCenter accounts, unexpected use of vpxuser, snapshot access, and guest VM movement with identity context so analysts can distinguish normal administration from covert access.

Key takeaways

• WARP PANDA illustrates that modern intrusions often pivot through valid identities, not just exploit payloads.
• Session tokens, MFA enrolment, and privileged management accounts can each become persistence mechanisms when governance is weak.
• Practitioners should focus on identity blast radius, revocation speed, and management-plane monitoring rather than perimeter-only detection.

Key terms

• Identity Blast Radius: The amount of systems, data, and administrative reach that one identity can affect if it is compromised. For non-human identities, blast radius is often larger than the account label suggests because automation, APIs, and management planes can cascade access across environments.
• Session Replay: A technique where an attacker reuses a captured authenticated session token to act as the victim without knowing the password. In modern cloud environments, replay can bypass traditional login controls and persist until the token is revoked or naturally expires.
• Management-Plane Identity: An identity used to control infrastructure, virtualisation, or cloud administration tasks rather than a business application. These identities are highly sensitive because they can change configurations, access snapshots, and move laterally across workloads with a single authenticated action.
• Mfa Enrolment Abuse: The misuse of device registration or authenticator setup flows to create attacker-controlled persistence. If these workflows are weakly protected, an intruder can add a new second factor and maintain access even after the original compromise is discovered.

Deepen your knowledge

Identity blast radius, privileged sessions, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are tightening controls around virtualisation and cloud administration, it is worth exploring.

This post draws on content published by CrowdStrike: WARP PANDA intrusion analysis and cloud identity abuse tradecraft. Read the original.