PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

BRICKSTORM malware CISA alert PRC state-sponsored actors VMware vSphere cybersecurity threats Zero-Trust architecture
Divyansh Ingle
Divyansh Ingle

Head of Engineering

 
December 9, 2025 3 min read
PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

TL;DR

  • PRC state-sponsored actors are deploying BRICKSTORM malware for long-term persistence, primarily targeting VMware vSphere and Windows environments. This sophisticated backdoor uses advanced encryption (HTTPS, WebSockets, DoH) and techniques like SOCKS proxy for stealthy command and control and lateral movement. CISA recommends scanning for indicators, blocking unauthorized DoH, and improving network segmentation to mitigate this threat.

PRC State-Sponsored Actors Employ BRICKSTORM Malware

CISA has released an alert regarding ongoing intrusions by People’s Republic of China (PRC) state-sponsored cyber actors using BRICKSTORM malware for long-term persistence on victim systems. This affects primarily Government Services and Facilities and Information Technology Sectors.

BRICKSTORM Malware Overview

BRICKSTORM is a sophisticated backdoor targeting VMware vSphere and Windows environments. According to NVISO, it's designed for stealthy access, initiation, persistence, and secure command and control. It uses multiple layers of encryption, including HTTPS, WebSockets, and nested TLS, along with DNS-over-HTTPS (DoH) to conceal communications. The malware also features a SOCKS proxy for lateral movement.

Initial Access and Lateral Movement

The initial access vector varies, but one confirmed compromise involved PRC state-sponsored cyber actors accessing a web server inside the organization’s demilitarized zone (DMZ). They then moved laterally to an internal VMware vCenter server and implanted BRICKSTORM malware.

After gaining access, the actors obtain and use legitimate credentials, often by performing system backups or capturing Active Directory database information. They target VMware vSphere platforms to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden rogue VMs to evade detection.

Technical Details of BRICKSTORM

BRICKSTORM is a custom Executable and Linkable Format (ELF) Go-based backdoor. The samples analyzed vary in function but share the capabilities to maintain stealthy access and provide secure command and control (C2). While the analyzed samples targeted VMware vSphere environments, there are reports of Windows versions as well.

The malware maintains persistence using a self-monitoring function, automatically reinstalling or restarting if disrupted. CISA's report details that for C2, BRICKSTORM uses multiple encryption layers (HTTPS, WebSockets, nested TLS) to hide communications with the C2 server. It also uses DNS-over-HTTPS (DoH) and mimics web server functionality to blend its communications with legitimate traffic. For remote system control, BRICKSTORM provides interactive shell access and allows file manipulation. Some samples act as a SOCKS proxy, facilitating lateral movement.

Detection and Mitigation Recommendations

CISA recommends several actions for network defenders to hunt for existing intrusions and mitigate further compromise:

  • Scan for BRICKSTORM using CISA-created YARA and Sigma rules.
  • Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic.
  • Inventory all network edge devices and monitor for suspicious network connectivity.
  • Ensure proper network segmentation.

Additional detection resources are available in the joint MAR BRICKSTORM Backdoor.

Indicators of Compromise (IOCs)

CISA has provided a downloadable copy of IOCs associated with this malware: MAR-251165.c1.v1.CLEAR. This includes file names, sizes, MD5, SHA1, SHA256, SHA512, ssdeep, and entropy values for multiple BRICKSTORM samples.

YARA and Sigma Rules

The malware analysis report includes YARA and Sigma rules to aid in detection.

Incident Response

If BRICKSTORM or similar malware is detected, report the incident to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.

Gopher Security's AI-Powered Zero-Trust Architecture

In light of these threats, consider adopting a Zero-Trust cybersecurity architecture. Gopher Security specializes in AI-powered, post-quantum Zero-Trust solutions, converging networking and security across devices, apps, and environments using peer-to-peer encrypted tunnels and quantum-resistant cryptography. This approach enhances your defense against sophisticated malware like BRICKSTORM.

Malware Metadata Examples

The following tables provide metadata for some of the analyzed BRICKSTORM samples:

Table 1. BRICKSTORM Sample 1

File Name: vmsrc MD5: 8e4c88d00b6eb46229a1ed7001451320 SHA256: aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38

Table 2. BRICKSTORM Sample 2

File Name: vnetd MD5: 39111508bfde89ce6e0fe6abe0365552 SHA256: 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf

Table 3. BRICKSTORM Sample 3

File Name: if-up MD5: dbca28ad420408850a94d5c325183b28 SHA256: 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d

(See the original CISA report for the complete list.)

Call to Action

Protect your organization from advanced threats like BRICKSTORM with a robust, Zero-Trust cybersecurity architecture. Visit Gopher Security to explore our AI-powered solutions and discover how we can help you secure your network against evolving cyber threats. Contact us today for a consultation.

Divyansh Ingle
Divyansh Ingle

Head of Engineering

 

AI and cybersecurity expert with 15-year large scale system engineering experience. Great hands-on engineering director.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article