The Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA) and Canadian Centre for Cyber Security (Cyber Centre), has released updated indicators of compromise (IOCs) and detection signatures for BRICKSTORM malware.
The latest update, published on December 19, 2025, includes an analysis of three additional malware samples, bringing the total to 11 analyzed variants.
BRICKSTORM is a sophisticated backdoor malware attributed to People’s Republic of China (PRC) state-sponsored cyber actors, who have been using it to maintain long-term persistence on compromised systems.
The malware primarily targets organizations in the Government Services and Facilities and Information Technology sectors, with particular focus on VMware vSphere environments, including VMware vCenter servers and VMware ESXi platforms.
The malware represents a significant threat due to its advanced capabilities. BRICKSTORM is custom-built using Go or Rust programming languages and operates as an Executable and Linkable Format (ELF) backdoor.
The eight samples initially analyzed were Go-based, while two of the three newly added samples in the December 19 update are Rust-based, demonstrating the threat actors’ evolving techniques.
According to the CISA joint advisory, BRICKSTORM provides cyber actors with comprehensive system control.
The malware uses multiple layers of encryption, including HTTPS, WebSockets, and nested Transport Layer Security (TLS), to conceal communications with command-and-control servers.
It also employs DNS-over-HTTPS (DoH) and mimics legitimate web server functionality to blend malicious traffic with regular network activity.
CISA conducted an incident response engagement for one victim organization in which PRC actors gained persistent access to the internal network in April 2024. The attackers uploaded BRICKSTORM to an internal VMware vCenter server.
They compromised two domain controllers and an Active Directory Federation Services (ADFS) server, successfully exporting cryptographic keys. The malware provided persistent access from at least April 2024 through September 2025.
Once deployed, BRICKSTORM grants threat actors interactive shell access, allowing them to browse, upload, download, create, delete, and manipulate files on compromised systems.
Some variants also function as SOCKS proxies, facilitating lateral movement across networks and enabling compromise of additional systems.
CISA, NSA, and Cyber Centre strongly urge organizations to utilize the released IOCs and detection signatures, including YARA and Sigma rules, to identify BRICKSTORM samples within their environments.
If BRICKSTORM or related activity is detected, organizations should immediately report incidents to CISA, Cyber Centre, or appropriate authorities.
The agencies have made downloadable copies of IOCs available in STIX format, along with Sigma detection rules in YAML format. Organizations can access these resources through CISA’s official website to enhance their defensive capabilities against this persistent threat.
This advisory underscores the ongoing sophistication of state-sponsored cyber operations and the critical need for organizations, particularly those in government and critical infrastructure sectors, to implement robust detection and response capabilities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
