Junction
Junction is a previously undocumented Golang-based implant used in VMware ESXi environments. CrowdStrike reported it being deployed on ESXi hosts alongside the BRICKSTORM malware family and the related GuestConduit implant, which runs in guest VMs. The malware has been attributed in reporting to the China-nexus threat actor WARP PANDA, and its use has been observed in intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing organizations. Reported intrusion chains commonly involved exploitation of internet-facing edge devices, pivoting into vCenter with valid credentials or vCenter vulnerability exploitation, and lateral movement using SSH and the privileged vCenter account vpxuser. High-confidence functionality described for Junction includes acting as an HTTP server, executing commands, proxying traffic, and interacting with guest VMs via VSOCK. It has been reported to masquerade as a legitimate ESXi service by listening on port 8090, a port associated in the reporting with VMware vvold. Junction appears designed to support covert communication within virtualized environments and to facilitate tunneling between ESXi hosts and guest VMs in conjunction with GuestConduit, which establishes a VSOCK listener on port 5555. Its deployment has been reported as part of stealth-focused, long-term persistence operations in VMware ecosystems.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CrowdStrike observed the same threat group deploying previously unknown Junction and GuestConduit malware implants in VMware ESXi environments.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
2 techniques“deploying JSP web shells and BRICKSTORM on VMware vCenter servers”
Privilege Escalation
1 techniqueRecent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Previously unobserved Golang-based implant deployed in PRC-nexus intrusions, positioned on ESXi hosts for covert, persistent access.
A previously undocumented Golang implant deployed on ESXi hosts that acts as an HTTP server and supports command execution, proxying network traffic, and interacting with guest VMs via VSOCK.
Junction is a newly identified Golang-based implant used by WARP PANDA for persistent access and espionage operations within targeted VMware and cloud environments. It is part of a sophisticated toolkit designed for long-term covert operations.
Junction is a Go-based implant used by Chinese threat actors for persistent access on ESXi hosts as part of multi-stage intrusions targeting VMware environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.