(A CISA advisory.)
From: https://shorturl.at/JjuIa (cisa.gov)
PRC State-Sponsored Actors Use BRICKSTORM Malware Across Public Sector
and Information Technology Systems
12/04/2025 11:00 AM EST
The Cybersecurity and Infrastructure Security Agency (CISA) is aware
of ongoing intrusions by PeopleΓÇÖs Republic of China (PRC)
state-sponsored cyber actors using BRICKSTORM malware for long-term
persistence on victim systems. BRICKSTORM is a sophisticated backdoor
for VMware vSphere1,2 and Windows environments.3 Victim organizations
are primarily in the Government Services and Facilities and
Information Technology Sectors. BRICKSTORM enables cyber threat actors
to maintain stealthy access and provides capabilities for initiation,
persistence, and secure command and control. The malware employs
advanced functionality, including multiple layers of encryption (e.g.,
HTTPS, WebSockets, and nested TLS), DNS-over-HTTPS (DoH) to conceal
communications, and a SOCKS proxy to facilitate lateral movement and
tunneling within victim networks. BRICKSTORM also incorporates
long-term persistence mechanisms, such as a self-monitoring function
that automatically reinstalls or restarts the malware if disrupted,
ensuring its continued operation.
The initial access vector varies. In one confirmed compromise, PRC
state-sponsored cyber actors accessed a web server inside the
organizationΓÇÖs demilitarized zone (DMZ), moved laterally to an
internal VMware vCenter server, then implanted BRICKSTORM malware. See
CISA, the National Security Agency, and Canadian Cyber Security
CentreΓÇÖs (Cyber CentreΓÇÖs) joint Malware Analysis Report (MAR)
BRICKSTORM Backdoor for analysis of the BRICKSTORM sample CISA
obtained during an incident response engagement for this victim. The
MAR also discusses seven additional BRICKSTORM samples, which exhibit
variations in functionality and capabilities, further highlighting the
complexity and adaptability of this malware.
After obtaining access to victim systems, PRC state-sponsored cyber
actors obtain and use legitimate credentials by performing system
backups or capturing Active Directory database information to
exfiltrate sensitive information. Cyber actors then target VMware
vSphere platforms to steal cloned virtual machine (VM) snapshots for
credential extraction and create hidden rogue VMs to evade detection.
CISA recommends that network defenders hunt for existing intrusions
and mitigate further compromise by taking the following actions:
- Scan for BRICKSTORM using CISA-created YARA and Sigma rules; see
joint MAR BRICKSTORM Backdoor.
- Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH
network traffic to reduce unmonitored communications.
- Take inventory of all network edge devices and monitor for any
suspicious network connectivity originating from these devices.
- Ensure proper network segmentation that restricts network traffic
from the DMZ to the internal network.
See joint MAR BRICKSTORM Backdoor for additional detection resources.
If BRICKSTORM, similar malware, or potentially related activity is
detected, report the incident to CISAΓÇÖs 24/7 Operations Center
at contact@cisa.dhs.gov or (888) 282-0870.
Disclaimer: The information in this report is being provided “as is”
for informational purposes only. CISA does not endorse any commercial
entity, product, company, or service, including any entities,
products, or services linked within this document. Any reference to
specific commercial entities, products, processes, or services by
service mark, trademark, manufacturer, or otherwise, does not
constitute or imply endorsement, recommendation, or favoring by CISA.
Notes
1 Matt Lin et al., ΓÇ£Cutting Edge, Part 4: Ivanti Connect Secure VPN
Post-Exploitation Lateral Movement Case Studies,ΓÇ¥ Google Cloud Blog,
April 4, 2024,
https://cloud.google.com/blog/topics/threat-i...
on-lateral-movement.
2 Maxime, ΓÇ£NVISO analyzes BRICKSTORM espionage backdoor,ΓÇ¥ NVISO, April
15, 2025,
https://www.nviso.eu/blog/nviso-analyzes-bric...
3 Sarah Yoder et al., ΓÇ£Another BRICKSTORM: Stealthy Backdoor Enabling
Espionage into Tech and Legal Sectors,ΓÇ¥ Google Cloud Blog, September
24, 2025,
https://cloud.google.com/blog/topics/threat-i...
ampaign.
... When all else fails, read the instructions.
--- MultiMail/Win
* Origin: Outpost BBS * Johnson City, TN (618:618/1)
|
Computer Support/Help/Discussion... 
