Key Takeaways
- BRICKSTORM is a sophisticated backdoor malware linked to Chinese state-sponsored cyber operations that targets VMware vSphere platforms, specifically vCenter servers and ESXi environments.
- The malware enables attackers to maintain long-term access to compromised systems without detection, allowing them to steal sensitive data, clone virtual machines, and move laterally through networks.
- Organizations in government services and information technology sectors face the highest risk from these attacks.
- BRICKSTORM operates silently in the background, automatically reinstalling itself if removed, and establishes encrypted connections to command-and-control servers using DNS-over-HTTPS.
- CISA has released detection signatures, including six YARA rules and one Sigma rule, to help organizations identify and remove BRICKSTORM samples.
Introduction to BRICKSTORM
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a malware analysis report on BRICKSTORM, a sophisticated backdoor linked to Chinese state-sponsored cyber operations. The report, released in December 2025 and updated through January 2026, identifies this threat as targeting VMware vSphere platforms, specifically vCenter servers and ESXi environments. Organizations in government services and information technology sectors face the highest risk from these attacks, as BRICKSTORM enables attackers to maintain long-term access to compromised systems without detection.
The Threat Posed by BRICKSTORM
BRICKSTORM represents a serious threat because it allows attackers to remain hidden in virtualized environments, where they can steal sensitive data, clone virtual machines, and move laterally through networks. The malware primarily affects virtualized environments, where it can remain hidden while threat actors carry out their malicious activities. Once installed, BRICKSTORM operates silently in the background, automatically reinstalling itself if removed. This self-healing mechanism ensures that attackers maintain access even if security teams attempt removal.
Infection and Persistence Mechanisms
BRICKSTORM gains initial access through compromised web servers located in demilitarized zones. Attackers upload the malware to VMware vCenter servers after moving laterally through networks using stolen service account credentials and Remote Desktop Protocol connections. The malware installs itself in system directories like /etc/sysconfig/ and modifies initialization scripts to execute during system startup. The backdoor maintains persistence through built-in self-monitoring capabilities that continuously verify whether BRICKSTORM remains active. If the malware detects it has stopped running, it automatically reinstalls and restarts itself from predefined file paths.
Command-and-Control Communications
BRICKSTORM establishes encrypted connections to command-and-control servers using DNS-over-HTTPS through legitimate public resolvers from Cloudflare, Google, and Quad9. This technique conceals malicious traffic within normal encrypted communications. The malware upgrades initial HTTPS connections to secure WebSocket sessions with multiple nested encryption layers. Through these connections, attackers gain interactive command-line access, browse file systems, upload and download files, and establish SOCKS proxies for lateral movement. This allows them to further compromise the network and steal sensitive data.
Detection and Removal
To support detection and removal efforts, CISA released six YARA rules and one Sigma rule specifically designed to identify BRICKSTORM samples. These detection signatures target unique code patterns and behavioral characteristics found across different malware variants. CISA urges organizations to immediately report any BRICKSTORM detections and apply recommended mitigations, including upgrading VMware vSphere servers, implementing network segmentation, and blocking unauthorized DNS-over-HTTPS providers. By taking these steps, organizations can reduce the risk of compromise and prevent attackers from maintaining long-term access to their systems.
Conclusion and Recommendations
In conclusion, BRICKSTORM is a sophisticated backdoor malware that poses a significant threat to organizations in government services and information technology sectors. Its ability to maintain long-term access to compromised systems without detection makes it a serious concern. To mitigate this threat, organizations should implement the recommended mitigations, including upgrading VMware vSphere servers and implementing network segmentation. Additionally, they should be aware of the lateral movement tactics used by PRC state-sponsored cyber actors, which involve progressing from web servers through domain controllers to VMware vCenter servers. By staying informed and taking proactive steps, organizations can reduce the risk of compromise and protect their sensitive data.
