U.S. and Canadian cybersecurity agencies have issued a critical alert regarding a sophisticated malware known as BRICKSTORM. Linked to China-sponsored threat actors, this malware poses a significant risk to VMware vSphere environments, a popular platform for managing virtualized data centers. According to advisories from CISA, NSA, and the Canadian Centre for Cyber Security, once a system is compromised, cybercriminals gain access to the vCenter management console, allowing them to extract cloned virtual machine (VM) snapshots and create undetectable rogue VMs.
Understanding BRICKSTORM Malware
The threat landscape presented by BRICKSTORM is alarming. CISA conducted a thorough analysis of several samples from affected organizations, uncovering a persistent and complex attack strategy. Although the analyzed instances were specific to VMware vSphere environments, the existence of Windows versions of BRICKSTORM has also been confirmed.
Year-Long Infiltration
One remarkable case revealed by CISA involved a prolonged attack that lasted over a year. The threat actors, identified as being backed by the People’s Republic of China (PRC), gained sustained access to a network beginning in April 2024. They introduced BRICKSTORM malware into a VMware vCenter server and successfully infiltrated two domain controllers, including an Active Directory Federation Services (ADFS) server, where they managed to extract cryptographic keys.
The reports indicate that the attackers maintained their access until at least September 3, 2025. The malware is characterized as an Executable and Linkable Format (ELF) Go-based backdoor. While functionalities may vary among different samples, all versions enable the cyber actors to retain stealthy access, facilitating commands, persistence, and secure communication.
Stealthy Operations
One of the concerning features of BRICKSTORM is its ability to auto-reinstall or restart if disrupted. It employs DNS-over-HTTPS (DoH) to hide its communications among legitimate traffic. This sophistication allows threat actors to gain interactive shell access, enabling them to manipulate files, browse the system, and create additional unauthorized versions of the malware as needed.
Entry Points for Attackers
CISA detailed the entry point exploited by the PRC hackers during their attacks. On April 11, 2024, they accessed a web server located in the organization’s demilitarized zone (DMZ) through a compromised web shell. The initial method of gaining access to this web server remains unclear, as does the timeline for the implantation of the web shell.
Lateral Movement Inside the Network
Utilizing service account credentials, the hackers quickly executed lateral movements via Remote Desktop Protocol (RDP) to gain entry into a domain controller within the DMZ, where they extracted the Active Directory (AD) database. The next day, they continued to move laterally, employing credentials from a second service account to access an internal domain controller. CISA noted that the process of credential acquisition is still under investigation.
Meanwhile, the hackers displayed their resourcefulness by transferring to two intermediary servers and the ADFS server, successfully stealing cryptographic keys in the process. After breaching the vCenter, they escalated their privileges using the sudo command, placing the BRICKSTORM malware into the server’s /etc/sysconfig/ directory and modifying the init file to ensure that the malware ran during the system’s startup.
Recommendations for Organizations
In light of these findings, CISA, NSA, and the Canadian Cyber Centre have urged organizations to adopt preventive measures. They recommend utilizing indicators of compromise (IOCs) and detection signatures included in their detailed reports to identify instances of BRICKSTORM. Furthermore, organizations are encouraged to block unauthorized DNS-over-HTTPS (DoH) traffic, maintain an inventory of network edge devices, and exercise vigilance over network connectivity.
Additionally, implementing network segmentation may help restrict traffic from the DMZ to the internal network, adding another layer of protection against potential breaches.
