PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

BRICKSTORM malware CISA alert PRC state-sponsored actors VMware vSphere cybersecurity threats Zero-Trust architecture
Divyansh Ingle
Divyansh Ingle

Head of Engineering

 
December 9, 2025 3 min read
PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

TL;DR

PRC state-sponsored actors are deploying BRICKSTORM malware for long-term persistence, primarily targeting VMware vSphere and Windows environments. This sophisticated backdoor uses advanced encryption (HTTPS, WebSockets, DoH) and techniques like SOCKS proxy for stealthy command and control and lateral movement. CISA recommends scanning for indicators, blocking unauthorized DoH, and improving network segmentation to mitigate this threat.

PRC State-Sponsored Actors Employ BRICKSTORM Malware

CISA has released an alert regarding ongoing intrusions by People’s Republic of China (PRC) state-sponsored cyber actors using BRICKSTORM malware for long-term persistence on victim systems. This affects primarily Government Services and Facilities and Information Technology Sectors.

BRICKSTORM Malware Overview

BRICKSTORM is a sophisticated backdoor targeting VMware vSphere and Windows environments. According to NVISO, it's designed for stealthy access, initiation, persistence, and secure command and control. It uses multiple layers of encryption, including HTTPS, WebSockets, and nested TLS, along with DNS-over-HTTPS (DoH) to conceal communications. The malware also features a SOCKS proxy for lateral movement.

Initial Access and Lateral Movement

The initial access vector varies, but one confirmed compromise involved PRC state-sponsored cyber actors accessing a web server inside the organization’s demilitarized zone (DMZ). They then moved laterally to an internal VMware vCenter server and implanted BRICKSTORM malware.

After gaining access, the actors obtain and use legitimate credentials, often by performing system backups or capturing Active Directory database information. They target VMware vSphere platforms to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden rogue VMs to evade detection.

Technical Details of BRICKSTORM

BRICKSTORM is a custom Executable and Linkable Format (ELF) Go-based backdoor. The samples analyzed vary in function but share the capabilities to maintain stealthy access and provide secure command and control (C2). While the analyzed samples targeted VMware vSphere environments, there are reports of Windows versions as well.

The malware maintains persistence using a self-monitoring function, automatically reinstalling or restarting if disrupted. CISA's report details that for C2, BRICKSTORM uses multiple encryption layers (HTTPS, WebSockets, nested TLS) to hide communications with the C2 server. It also uses DNS-over-HTTPS (DoH) and mimics web server functionality to blend its communications with legitimate traffic. For remote system control, BRICKSTORM provides interactive shell access and allows file manipulation. Some samples act as a SOCKS proxy, facilitating lateral movement.

Detection and Mitigation Recommendations

CISA recommends several actions for network defenders to hunt for existing intrusions and mitigate further compromise:

  • Scan for BRICKSTORM using CISA-created YARA and Sigma rules.
  • Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic.
  • Inventory all network edge devices and monitor for suspicious network connectivity.
  • Ensure proper network segmentation.

Additional detection resources are available in the joint MAR BRICKSTORM Backdoor.

Indicators of Compromise (IOCs)

CISA has provided a downloadable copy of IOCs associated with this malware: MAR-251165.c1.v1.CLEAR. This includes file names, sizes, MD5, SHA1, SHA256, SHA512, ssdeep, and entropy values for multiple BRICKSTORM samples.

YARA and Sigma Rules

The malware analysis report includes YARA and Sigma rules to aid in detection.

Incident Response

If BRICKSTORM or similar malware is detected, report the incident to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.

Gopher Security's AI-Powered Zero-Trust Architecture

In light of these threats, consider adopting a Zero-Trust cybersecurity architecture. Gopher Security specializes in AI-powered, post-quantum Zero-Trust solutions, converging networking and security across devices, apps, and environments using peer-to-peer encrypted tunnels and quantum-resistant cryptography. This approach enhances your defense against sophisticated malware like BRICKSTORM.

Malware Metadata Examples

The following tables provide metadata for some of the analyzed BRICKSTORM samples:

Table 1. BRICKSTORM Sample 1

File Name: vmsrc
MD5: 8e4c88d00b6eb46229a1ed7001451320
SHA256: aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38

Table 2. BRICKSTORM Sample 2

File Name: vnetd
MD5: 39111508bfde89ce6e0fe6abe0365552
SHA256: 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf

Table 3. BRICKSTORM Sample 3

File Name: if-up
MD5: dbca28ad420408850a94d5c325183b28
SHA256: 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d

(See the original CISA report for the complete list.)

Call to Action

Protect your organization from advanced threats like BRICKSTORM with a robust, Zero-Trust cybersecurity architecture. Visit Gopher Security to explore our AI-powered solutions and discover how we can help you secure your network against evolving cyber threats. Contact us today for a consultation.

Divyansh Ingle
Divyansh Ingle

Head of Engineering

 

AI and cybersecurity expert with 15-year large scale system engineering experience. Great hands-on engineering director.

Related News

WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups
WinRAR vulnerability

WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups

CISA flags WinRAR CVE-2025-6218 as actively exploited. Learn about this path traversal flaw and how to protect your systems. Update now!

By Jim Gagnard December 11, 2025 3 min read
Read full article
Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers
malicious VSCode extensions

Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers

Beware of malicious VSCode extensions & device code phishing scams. Learn how these attacks steal credentials, capture screens, and hijack sessions. Protect yourself now!

By Alan V Gutnov December 10, 2025 6 min read
Read full article
Google Patches 107 Android Vulnerabilities, Including Zero-Days
Android security

Google Patches 107 Android Vulnerabilities, Including Zero-Days

Google's December update fixes 107 Android vulnerabilities, including two zero-days. Ensure your device is protected! Check your security update level now.

By Divyansh Ingle December 8, 2025 3 min read
Read full article
China Espionage Threat: BRICKSTORM Malware Targets Tech and Legal Sectors
BRICKSTORM malware

China Espionage Threat: BRICKSTORM Malware Targets Tech and Legal Sectors

Uncover the sophisticated BRICKSTORM malware campaign linked to China. Learn about its tactics, targets, and how to defend your organization. Read more!

By Jim Gagnard December 5, 2025 4 min read
Read full article