United States Cybersecurity and Infrastructure Security Agency has released an alert detailing a sophisticated backdoor named BRICKSTORM, used by state-sponsored threat actors linked to the People’s Republic of China to maintain long-term access on compromised systems. According to CISA, BRICKSTORM targets VMware vSphere and Windows environments and allows attackers to perform a wide range of actions, including browsing, uploading, downloading, creating, deleting, and manipulating files. Written in Golang, the malware provides interactive shell access and stealthy command-and-control capabilities through protocols like HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS, while also functioning as a SOCKS proxy for lateral movement.
The malware has primarily been used against government and IT sector targets and represents a continuing evolution of Chinese cyber operations targeting edge devices and cloud infrastructure. CISA noted that BRICKSTORM can automatically reinstall or restart itself through self-monitoring, enabling persistent operation despite disruption attempts. The malware first appeared in 2024 through attacks exploiting Ivanti Connect Secure zero-day vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887. Researchers attribute its use to UNC5221 and a China-linked threat cluster identified by CrowdStrike as Warp Panda.
Analyses by CrowdStrike and Google Mandiant indicate BRICKSTORM has been deployed in intrusions targeting U.S.-based legal, technology, and manufacturing entities. Attackers often gain initial access via internet-facing edge devices, using valid credentials or exploiting vCenter vulnerabilities, then move laterally with SSH, RDP, and SFTP to compromise VMware vCenter servers, Active Directory environments, and cloud systems. In several incidents, threat actors obtained managed service provider credentials to pivot between internal systems, exfiltrating cryptographic keys and deploying BRICKSTORM implants on ESXi hosts and guest VMs. Additional Golang implants, Junction and GuestConduit, were also used to facilitate inter-VM communication, command execution, and data tunneling.
The attackers are described as highly sophisticated, maintaining long-term, covert access while targeting sensitive data in cloud environments such as Microsoft Azure, OneDrive, SharePoint, and Exchange. CrowdStrike reports that they have leveraged session replay attacks, MFA device registration, and Microsoft Graph API enumeration to sustain persistence and access privileged accounts. CISA emphasized that the malware’s artifacts are designed to operate in virtualized environments, masquerading as legitimate vCenter processes while clearing logs, timestomping files, and creating temporary rogue VMs to hide activity.
A spokesperson for the Chinese embassy in Washington denied involvement, stating that China does not encourage or support cyber attacks. Meanwhile, cybersecurity researchers continue to monitor BRICKSTORM and associated activity clusters, warning organizations to strengthen defenses against advanced persistent threats targeting both on-premises and cloud infrastructures. The malware highlights ongoing risks posed by sophisticated, state-linked threat actors leveraging virtualized environments to maintain covert access over extended periods.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
