The Cybersecurity and Infrastructure Security Agency has issued a malware analysis report on BRICKSTORM, a sophisticated backdoor linked to Chinese state-sponsored cyber operations.
Released in December 2025 and updated through January 2026, the report identifies this threat targeting VMware vSphere platforms, specifically vCenter servers and ESXi environments.
Organizations in government services and information technology sectors face the highest risk from these attacks.
BRICKSTORM represents a serious threat because it enables attackers to maintain long-term access to compromised systems without detection.
The malware primarily affects virtualized environments, where it can remain hidden while threat actors steal sensitive data, clone virtual machines, and move laterally through networks.
Once installed, BRICKSTORM operates silently in the background, automatically reinstalling itself if removed.
The report examines eleven malware samples discovered across victim organizations. Eight samples were built using the Go programming language, while three newer variants use Rust.
CISA analysts identified BRICKSTORM during an incident response investigation where threat actors maintained persistent access to a victim organization from April 2024 through September 2025.
During this compromise, attackers accessed domain controllers and compromised an Active Directory Federation Services server to export cryptographic keys.
Infection and Persistence Mechanisms
BRICKSTORM gains initial access through compromised web servers located in demilitarized zones.
Attackers upload the malware to VMware vCenter servers after moving laterally through networks using stolen service account credentials and Remote Desktop Protocol connections.
.webp "CISA Releases BRICKSTORM Malware Report with New YARA Rules for VMware vSphere 3")
The malware installs itself in system directories like /etc/sysconfig/ and modifies initialization scripts to execute during system startup.
The backdoor maintains persistence through built-in self-monitoring capabilities that continuously verify whether BRICKSTORM remains active.
If the malware detects it has stopped running, it automatically reinstalls and restarts itself from predefined file paths.
This self-healing mechanism ensures attackers maintain access even if security teams attempt removal.
BRICKSTORM establishes encrypted connections to command-and-control servers using DNS-over-HTTPS through legitimate public resolvers from Cloudflare, Google, and Quad9.
This technique conceals malicious traffic within normal encrypted communications. The malware upgrades initial HTTPS connections to secure WebSocket sessions with multiple nested encryption layers.
.webp "CISA Releases BRICKSTORM Malware Report with New YARA Rules for VMware vSphere 4")
Through these connections, attackers gain interactive command-line access, browse file systems, upload and download files, and establish SOCKS proxies for lateral movement.
To support detection and removal efforts, CISA released six YARA rules and one Sigma rule specifically designed to identify BRICKSTORM samples.
These detection signatures target unique code patterns and behavioral characteristics found across different malware variants.
CISA urges organizations to immediately report any BRICKSTORM detections and apply recommended mitigations including upgrading VMware vSphere servers, implementing network segmentation, and blocking unauthorized DNS-over-HTTPS providers.
Moreover, the lateral movement shows the PRC state-sponsored cyber actors’ progression from web server through domain controllers to VMware vCenter server.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
