PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

BRICKSTORM malware CISA alert PRC state-sponsored actors VMware vSphere cybersecurity threats Zero-Trust architecture
Divyansh Ingle
Divyansh Ingle

Head of Engineering

 
December 9, 2025
3 min read
PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

TL;DR

  • PRC state-sponsored actors are deploying BRICKSTORM malware for long-term persistence, primarily targeting VMware vSphere and Windows environments. This sophisticated backdoor uses advanced encryption (HTTPS, WebSockets, DoH) and techniques like SOCKS proxy for stealthy command and control and lateral movement. CISA recommends scanning for indicators, blocking unauthorized DoH, and improving network segmentation to mitigate this threat.

PRC State-Sponsored Actors Employ BRICKSTORM Malware

CISA has released an alert regarding ongoing intrusions by People’s Republic of China (PRC) state-sponsored cyber actors using BRICKSTORM malware for long-term persistence on victim systems. This affects primarily Government Services and Facilities and Information Technology Sectors.

BRICKSTORM Malware Overview

BRICKSTORM is a sophisticated backdoor targeting VMware vSphere and Windows environments. According to NVISO, it's designed for stealthy access, initiation, persistence, and secure command and control. It uses multiple layers of encryption, including HTTPS, WebSockets, and nested TLS, along with DNS-over-HTTPS (DoH) to conceal communications. The malware also features a SOCKS proxy for lateral movement.

Initial Access and Lateral Movement

The initial access vector varies, but one confirmed compromise involved PRC state-sponsored cyber actors accessing a web server inside the organization’s demilitarized zone (DMZ). They then moved laterally to an internal VMware vCenter server and implanted BRICKSTORM malware.

After gaining access, the actors obtain and use legitimate credentials, often by performing system backups or capturing Active Directory database information. They target VMware vSphere platforms to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden rogue VMs to evade detection.

Technical Details of BRICKSTORM

BRICKSTORM is a custom Executable and Linkable Format (ELF) Go-based backdoor. The samples analyzed vary in function but share the capabilities to maintain stealthy access and provide secure command and control (C2). While the analyzed samples targeted VMware vSphere environments, there are reports of Windows versions as well.

The malware maintains persistence using a self-monitoring function, automatically reinstalling or restarting if disrupted. CISA's report details that for C2, BRICKSTORM uses multiple encryption layers (HTTPS, WebSockets, nested TLS) to hide communications with the C2 server. It also uses DNS-over-HTTPS (DoH) and mimics web server functionality to blend its communications with legitimate traffic. For remote system control, BRICKSTORM provides interactive shell access and allows file manipulation. Some samples act as a SOCKS proxy, facilitating lateral movement.

Detection and Mitigation Recommendations

CISA recommends several actions for network defenders to hunt for existing intrusions and mitigate further compromise:

  • Scan for BRICKSTORM using CISA-created YARA and Sigma rules.
  • Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic.
  • Inventory all network edge devices and monitor for suspicious network connectivity.
  • Ensure proper network segmentation.

Additional detection resources are available in the joint MAR BRICKSTORM Backdoor.

Indicators of Compromise (IOCs)

CISA has provided a downloadable copy of IOCs associated with this malware: MAR-251165.c1.v1.CLEAR. This includes file names, sizes, MD5, SHA1, SHA256, SHA512, ssdeep, and entropy values for multiple BRICKSTORM samples.

YARA and Sigma Rules

The malware analysis report includes YARA and Sigma rules to aid in detection.

Incident Response

If BRICKSTORM or similar malware is detected, report the incident to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.

Gopher Security's AI-Powered Zero-Trust Architecture

In light of these threats, consider adopting a Zero-Trust cybersecurity architecture. Gopher Security specializes in AI-powered, post-quantum Zero-Trust solutions, converging networking and security across devices, apps, and environments using peer-to-peer encrypted tunnels and quantum-resistant cryptography. This approach enhances your defense against sophisticated malware like BRICKSTORM.

Malware Metadata Examples

The following tables provide metadata for some of the analyzed BRICKSTORM samples:

Table 1. BRICKSTORM Sample 1

File Name: vmsrc MD5: 8e4c88d00b6eb46229a1ed7001451320 SHA256: aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38

Table 2. BRICKSTORM Sample 2

File Name: vnetd MD5: 39111508bfde89ce6e0fe6abe0365552 SHA256: 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf

Table 3. BRICKSTORM Sample 3

File Name: if-up MD5: dbca28ad420408850a94d5c325183b28 SHA256: 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d

(See the original CISA report for the complete list.)

Call to Action

Protect your organization from advanced threats like BRICKSTORM with a robust, Zero-Trust cybersecurity architecture. Visit Gopher Security to explore our AI-powered solutions and discover how we can help you secure your network against evolving cyber threats. Contact us today for a consultation.

Divyansh Ingle
Divyansh Ingle

Head of Engineering

 

AI and cybersecurity expert with 15-year large scale system engineering experience. Great hands-on engineering director.

Related News

NIST Standards Drive 2026 Mandates for Securing AI Infrastructure and Model Context Protocol Deployments
NIST AI Risk Management Framework

NIST Standards Drive 2026 Mandates for Securing AI Infrastructure and Model Context Protocol Deployments

Prepare for 2026 NIST AI mandates. Learn how to secure autonomous agents and Model Context Protocol (MCP) deployments against evolving enterprise security threats.

By Alan V Gutnov June 11, 2026 6 min read
common.read_full_article
Active Directory Certificate Services Now Supports Post-Quantum Cryptography for Windows Environments
Post-Quantum Cryptography AD CS

Active Directory Certificate Services Now Supports Post-Quantum Cryptography for Windows Environments

Microsoft adds Post-Quantum Cryptography (PQC) to AD CS. Learn how ML-DSA and hybrid key exchanges protect Windows environments against Harvest Now, Decrypt Later.

By Edward Zhou June 12, 2026 4 min read
common.read_full_article
Enterprises Face 2026 Deadline for NIST-Compliant Post-Quantum Cryptography Migration and Infrastructure Readiness
NIST post-quantum cryptography standards 2026

Enterprises Face 2026 Deadline for NIST-Compliant Post-Quantum Cryptography Migration and Infrastructure Readiness

Is your enterprise ready for the 2026 NIST PQC deadline? Learn how to mitigate Harvest Now, Decrypt Later threats and update your infrastructure to quantum-resistant standards.

By Brandon Woo June 10, 2026 7 min read
common.read_full_article
Cloud and Zero Trust Architecture Adoption Accelerate Modernization of Industrial Control Systems Security
industrial control systems zero trust

Cloud and Zero Trust Architecture Adoption Accelerate Modernization of Industrial Control Systems Security

Explore how Zero Trust Architecture and cloud adoption are transforming Industrial Control Systems (ICS) security to mitigate modern cyber threats.

By Alan V Gutnov June 9, 2026 4 min read
common.read_full_article