Major security agencies from the US and Canada have issued a serious alert about BRICKSTORM, a new cybersecurity threat believed to be used by hackers sponsored by the People’s Republic of China (PRC).
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) from the US, and the Canadian Centre for Cyber Security (Cyber Centre) say these hackers are using the tool to sneak into critical networks and stay hidden for long periods.
What Is BRICKSTORM and Who’s at Risk?
BRICKSTORM is basically a backdoor that gives attackers a secret entry point to control systems undetected. Built with the Go programming language for broad compatibility, including Windows and Linux environments, it primarily targets organisations in the Government Services and Facilities and Information Technology sectors, CISA explained in its press release published on December 4, 2025.
CISA also notes that the hackers are especially focused on VMware vSphere platforms, which manage large virtual computer networks. Once a hacker gains access, they can steal snapshots of virtual machines to get usernames and passwords, and even create their own hidden, secret virtual machines.
For your information, this long-term “persistent” access was observed lasting from April 2024 until at least September 3, 2025. This activity was previously reported by Hackread.com in September, when the hackers were observed targeting US legal, technology, and business outsourcing firms
How the Attacks Work
According to CISA’s Malware Analysis Report (PDF), the agency analysed eight BRICKSTORM samples obtained from compromised organisations to help others detect and remove the threat. In one case, the state-sponsored hackers first broke into a web server inside a victim’s security zone (DMZ).
From there, they used stolen service account credentials, which are like master keys, to invade other crucial systems, including domain controllers and an Active Directory Federation Services (ADFS) server. They then deployed BRICKSTORM onto an internal VMware vCenter server.
Once installed, the malware ensures its own persistence by using a built-in function to automatically reinstall itself if interrupted. It also uses multiple layers of encryption to hide its messages, making communication with the hackers’ control centres extremely difficult to spot, which is highly concerning.
It is worth noting that while all samples gave the hackers stealthy control, they differed in minor ways, such as how they achieved persistence or which samples included a SOCKS proxy feature to help them tunnel deeper into a victim’s network.
The agencies are strongly urging all affected organisations to use the newly released indicators of compromise (IOCs) and detection signatures to check their systems and immediately report any sign of BRICKSTORM activity.
Expert View: Targeting the Virtualisation Foundation:
Commenting exclusively on the advisory, Ensar Seker, CISO at threat intel company SOCRadar, shared with Hackread.com that: “What’s especially alarming about this campaign is that it targets the virtualisation layer itself, not the OS or applications, which historically receives less attention.”
Seker stressed that once the management console (vCenter) is compromised, attackers “gain broad visibility over the virtual infrastructure and can bypass many traditional endpoint defences.”
He concluded that this malware “isn’t just another malware campaign. It’s a wake-up call showing that adversaries are shifting upward in the stack, targeting the foundations of virtualisation rather than individual VMs.”