The Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive malware analysis report detailing BRICKSTORM, a sophisticated backdoor associated with Chinese state-sponsored cyber operations. This cybersecurity threat specifically targets VMware vSphere platforms, including vCenter servers and ESXi environments, posing a significant risk to organizations in government services and the information technology sectors. The report, initially issued in December 2025 and updated through January 2026, highlights BRICKSTORM’s ability to provide attackers with persistent, undetected access to compromised systems.
BRICKSTORM operates within virtualized environments, allowing threat actors to steal sensitive data, clone virtual machines, and move laterally across networks discreetly. Once established, the malware is designed to reinstall and relaunch itself if detected and removed, making it exceptionally difficult to eradicate. CISA identified BRICKSTORM during an incident response investigation where attackers maintained access to a victim organization for over a year, from April 2024 to September 2025. During this period, the actors compromised domain controllers and an Active Directory Federation Services server, successfully exporting cryptographic keys.
BRICKSTORM Malware Details and Threat Vector
The analysis of BRICKSTORM examined eleven malware samples recovered from victim organizations. A significant portion, eight samples, were developed using the Go programming language, while three more recent variants were found to be built with Rust. This evolution in programming languages reflects ongoing development by the threat actors behind the malware. CISA’s findings indicate a progression in the attackers’ methods, moving from initial compromise of web servers to lateral movement through domain controllers and ultimately targeting VMware vCenter servers.
Initial access for BRICKSTORM is typically gained through compromised web servers situated in demilitarized zones (DMZs). From these initial footholds, the attackers leverage stolen service account credentials and Remote Desktop Protocol (RDP) connections to move laterally within the network. Their ultimate objective is to upload the BRICKSTORM malware to VMware vCenter servers. The malware then establishes itself in system directories, such as /etc/sysconfig/, and modifies system initialization scripts to ensure its automatic execution upon system startup.
Infection and Persistence Mechanisms
BRICKSTORM’s persistence mechanisms are particularly robust. The backdoor possesses built-in self-monitoring capabilities that continuously check its operational status. If the malware detects that it is no longer running, it automatically reinstalls and restarts itself from pre-defined file locations. This automated self-healing feature makes manual removal by security teams significantly more challenging, as the malware can quickly re-establish its presence.
The malware establishes encrypted communication channels with its command-and-control (C2) servers. It initially uses DNS-over-HTTPS (DoH) to mask its traffic, routing it through legitimate public DNS resolvers from major providers like Cloudflare, Google, and Quad9. This technique helps to obscure malicious network activity within otherwise normal encrypted web traffic. Once an initial connection is made, BRICKSTORM upgrades the communication to secure WebSocket sessions, which are further protected by multiple nested encryption layers. These encrypted tunnels allow attackers to execute interactive commands, browse file systems, upload and download files, and set up SOCKS proxies for further lateral movement within the compromised network.
CISA’s Mitigation and Detection Guidance
To aid in the detection and removal of BRICKSTORM, CISA has released six YARA rules and one Sigma rule. These detection signatures are meticulously crafted to identify specific code patterns and behavioral indicators unique to the various BRICKSTORM malware variants. The agency strongly advises organizations to report any confirmed detections of BRICKSTORM immediately.
CISA recommends several mitigation strategies to protect against BRICKSTORM infections. These include ensuring VMware vSphere servers are up-to-date with the latest security patches, implementing robust network segmentation to limit lateral movement, and actively blocking unauthorized DNS-over-HTTPS providers. Implementing these measures can significantly reduce the attack surface and deter successful exploitation by sophisticated threats like BRICKSTORM. The ongoing development and sophistication of state-sponsored malware necessitate continuous vigilance and proactive security practices.