The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security (Cyber Centre) issued a joint advisory today, warning of a sophisticated new malware campaign orchestrated by People’s Republic of China (PRC) state sponsored cyber actors.
BRICKSTORM Targets Virtualized Infrastructure
The advisory details BRICKSTORM, a formidable backdoor designed to establish long term persistence within critical government and information technology networks. BRICKSTORM specifically targets VMware vSphere and Windows environments.
BRICKSTORM is described as a custom Go based backdoor that employs advanced tradecraft to evade detection while granting attackers total control over compromised systems. Unlike typical malware, BRICKSTORM is engineered for deep integration into virtualized infrastructure. It targets VMware vCenter servers and ESXi hosts, allowing threat actors to manipulate virtual machines directly.
The malware’s command and control (C2) mechanisms are particularly resilient. BRICKSTORM uses DNS over HTTPS (DoH) to resolve malicious domains through legitimate public resolvers like Cloudflare and Google. This technique effectively blends its traffic with normal network noise. Once a C2 server is located, the malware establishes a connection using standard HTTPS, which is then upgraded to a highly encrypted WebSocket connection nested with additional layers of Transport Layer Security (TLS) encryption.
This complex tunneling method allows the attackers to run multiple data streams, such as interactive shells and file transfers, inside a single encrypted connection.
Observed Attack Flow
The joint advisory highlights a specific incident where PRC actors maintained access to a victim’s network from April 2024 through at least September 2025.
In this case, attackers initially compromised a web server in the organization’s Demilitarized Zone (DMZ) before pivoting laterally to internal domain controllers and an Active Directory Federation Services (ADFS) server.
Once inside the internal network, the actors deployed BRICKSTORM to a VMware vCenter server. From this vantage point, they could steal snapshots of virtual machines to extract credentials and potentially create “rogue” VMs that operate invisibly alongside legitimate workloads. The report notes that the actors successfully compromised the ADFS server to export cryptographic keys, a critical breach that could allow for the forging of authentication tokens.
Mitigation Recommendations
CISA and its partners are urging organizations, particularly those in government and critical infrastructure sectors, to hunt for BRICKSTORM indicators of compromise (IOCs) immediately.
The advisory recommends prioritizing upgrading VMware vSphere servers to the latest versions and strictly limiting network connectivity from edge devices to internal resources. Network administrators are advised to block unauthorized DoH traffic to prevent the malware from resolving its C2 infrastructure and to increase monitoring on service accounts, which were heavily abused during the observed attacks.
The agencies also emphasized that because BRICKSTORM modifies system initialization files to survive reboots, standard forensic scans of running processes may need to be supplemented with disk based analysis to detect these static persistence mechanisms.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
