Three major cyber agencies — CISA, NSA, and the Canadian Cyber Centre — have issued a new alert about a powerful malware called BRICKSTORM. They say this threat comes from state-sponsored hackers in China and is aimed at important government and technology systems.
Targets VMware and Windows-BRICKSTORM
BRICKSTORM is a backdoor that is built to stay hidden for a long time. It is written in Go and is made to avoid detection while giving attackers full control of the infected system. Once it enters a network, it keeps its access quietly and waits for the right time to act.
The malware focuses mainly on virtual environments. It attacks VMware vCenter and ESXi systems, letting hackers interact with virtual machines directly. BRICKSTORM also targets Windows systems, making it dangerous for any organization using a mix of virtual and physical servers.
How BRICKSTORM Malware Works
BRICKSTORM is a tough malware that hides its activity well. It uses DNS-over-HTTPS (DoH) to contact its command servers through normal public services like Cloudflare and Google. This makes its traffic look normal to network monitors.
Once it finds a command server, the malware connects using regular HTTPS. Then it switches to a WebSocket connection with extra layers of TLS encryption for security. This setup allows attackers to run several tasks at once, like interactive shells and file transfers, inside a single connection.
The advisory shows a real case where Chinese state-backed hackers stayed inside a network from April 2024 to September 2025. They first breached a web server in the DMZ, then moved to internal domain controllers and an ADFS server.
After getting inside, the attackers installed BRICKSTORM on a VMware vCenter server. From there, they could steal snapshots of virtual machines, get credentials, and even create hidden “rogue” VMs running alongside normal systems. They also stole cryptographic keys from the ADFS server, which could let them forge authentication tokens.
Key Capabilities of BRICKSTORM
- Self-Preservation: Automatically reinstalls itself if stopped.
- Protocol Tunneling: Uses SOCKS proxies for stealthy movement across networks.
- Virtualization Targeting: Uses VSOCK interfaces to move data between virtual machines without being detected.
CISA and partners urge government and critical infrastructure organizations to look for signs of BRICKSTORM immediately.
Recommended Actions
- Upgrade VMware vSphere servers to the latest versions.
- Limit network access from edge devices to internal systems.
- Block unauthorized DoH traffic to stop malware from contacting command servers.
- Monitor service accounts closely, as attackers often abuse them.
- Check system initialization files and disk contents, not just running processes, to detect persistent malware.
BRICKSTORM shows how sophisticated malware can quietly take control of networks. Prompt action is needed to stop it before damage spreads.
Leave A Comment