The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security (Cyber Centre) issued a joint advisory today, warning of a sophisticated new malware campaign orchestrated by People’s Republic of China (PRC) state-sponsored cyber actors.
The advisory details “BRICKSTORM,” a formidable backdoor designed to establish long-term persistence within critical government and information technology networks, specifically targeting VMware vSphere and Windows environments.
BRICKSTORM is described as a custom Go-based backdoor that employs advanced tradecraft to evade detection while granting attackers total control over compromised systems.
BRICKSTORM Attacking VMware ESXi and Windows
Unlike run-of-the-mill malware, BRICKSTORM is engineered for deep integration into virtualized infrastructure. It targets VMware vCenter servers and ESXi hosts, allowing threat actors to manipulate virtual machines directly.
The malware’s command-and-control (C2) mechanisms are particularly resilient. BRICKSTORM utilizes DNS-over-HTTPS (DoH) to resolve malicious domains through legitimate public resolvers like Cloudflare and Google, effectively blending its traffic with normal network noise.
Once a C2 server is located, the malware establishes a connection using standard HTTPS, which is then upgraded to a WebSocket connection nested with additional layers of Transport Layer Security (TLS) encryption.
This complex tunneling method, often using multiplexing libraries like smux or Yamux, allows the attackers to run multiple data streams, such as interactive shells and file transfers, inside a single encrypted connection.
The joint advisory highlights a specific incident where PRC actors maintained access to a victim’s network from April 2024 through at least September 2025.
In this case, attackers initially compromised a web server in the organization’s Demilitarized Zone (DMZ) before pivoting laterally to internal domain controllers and an Active Directory Federation Services (ADFS) server.
Once inside the internal network, the actors deployed BRICKSTORM to a VMware vCenter server. From this vantage point, they could steal snapshots of virtual machines to extract credentials and potentially create “rogue” VMs that operate invisibly alongside legitimate workloads.
The report notes that the actors successfully compromised the ADFS server to export cryptographic keys, a critical breach that could allow for the forging of authentication tokens.
| Capability | Description |
|---|---|
| Self-Preservation | Includes a “self-watcher” function that automatically reinstalls the malware if the process is terminated or disrupted. |
| Protocol Tunneling | Implements SOCKS proxies to tunnel traffic via TCP, UDP, and ICMP, facilitating stealthy lateral movement across segmented networks. |
| Virtualization Targeting | Specific variants use Virtual Socket (VSOCK) interfaces for inter-VM communication, allowing data exfiltration without standard network monitoring. |
CISA and its partners are urging organizations, particularly those in government and critical infrastructure sectors, to hunt for BRICKSTORM indicators of compromise (IOCs) immediately.
The advisory recommends prioritizing upgrading VMware vSphere servers to the latest versions and strictly limiting network connectivity from edge devices to internal resources.
Network administrators are advised to block unauthorized DoH traffic to prevent the malware from resolving its C2 infrastructure and to increase monitoring on service accounts, which were heavily abused during the observed attacks.
The agencies emphasized that because BRICKSTORM modifies system initialization files (such as /etc/sysconfig/init) to survive reboots, standard forensic scans of running processes may need to be supplemented with disk-based analysis to detect these static persistence mechanisms.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
