The US Cybersecurity and Infrastructure Security Agency (CISA) warned of “ongoing intrusions” from Chinese nation-state actors deploying the Brickstorm backdoor in organizations’ VMware vSphere environments.
In an alert published Thursday, CISA said threat actors tied to the People’s Republic of China (PRC) are primarily targeting organizations in the government and information technology sectors. The attackers use Brickstorm, a “sophisticated backdoor,” to maintain long-term stealth access to targeted networks, according to the CISA alert.
The agency also issued a joint malware analysis report with US National Security Agency (NSA) and the Canadian Cyber Security Centre. Brickstorm was first documented by Google’s Mandiant last year following investigations into attacks that exploited critical Ivanti zero-day vulnerabilities.
The report, based on eight samples collected by authorities, sheds additional light on the backdoor, as well as on the tactics of PRC-linked threat actors. While Brickstorm can be deployed in Windows environments, the recent attacks appear to be focused solely on VMware instances.
“The cyber actors have been observed targeting VMware vSphere platforms,” the malware analysis report stated. “Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs.”
Brickstorm’s Multifaceted Capabilities
Brickstorm, a Go-based backdoor, has self-monitoring functions that enable the malware to automatically reinstall or restart if it’s disrupted, according to the malware analysis report. For covert communications with threat actors’ command-and-control (C2) infrastructure, Brickstorm contains multiple encryption layers, like HTTPS, WebSockets, and nested TLS.
Additionally, the agencies noted that Brickstorm uses DNS-over-HTTPS (DoH) to blend C2 communications with legitimate traffic and provides attackers with interactive shell access on the infected network.
According to the report, CISA assisted with incident response in one of the recent attacks. In that engagement, PRC-linked threat actors first gained access to the victim’s network on April 11, 2024, via a Web server in the organization’s demilitarized zone (DMZ), though it’s unclear how the attackers achieved initial access.
The threat actors found service account credentials and used them to move laterally via Remote Desktop Protocol (RDP) to a domain controller in the DMZ. From there, they obtained credentials to a second service account and jumped to a domain controller in the internal network, where they accessed an Active Directory (AD) database.
“Subsequently, they copied the AD database, obtaining credentials for a managed service provider (MSP) account,” the agencies said in the report. “Using the MSP credentials, the cyber actors proceeded to move from the internal domain controller to the VMware vCenter server.”
The threat actors also pivoted to an Active Directory Federation Services server using Server Message Block (SMB) and extracted the cryptographic keys stored on the server. The attackers maintained access to the victim’s network until Sept. 2, 2025.
Brickstorm Defenses
The agencies did not attribute the recent attacks to a specific PRC-backed threat group. However, CrowdStrike on Thursday published a blog post on a newly identified China-nexus threat group it calls Warped Panda, which the company said is behind several intrusions it identified this year using Brickstorm. According to the Crowdstrike blog, Warped Panda actors targeted VMware vCenter environments at US-based organizations.
To mitigate the threat of Brickstorm attacks, the agencies urged organizations to keep their VMware vSphere servers up to date and create an inventory of all network edge devices, monitoring for any suspicious activity from those devices. The agencies also recommended disabling all RDP and SMB access from the DMZ to the internal network; restrict permissions for and increase monitoring of service accounts; and block unauthorized DoH providers and external DoH traffic.
Additionally, CrowdStrike encouraged organizations to monitor for the creation of unsanctioned VMs, restrict outbound Internet access from VMware ESXi and vCenter instances, and consider disabling SSH access to ESXi hosts, among other hardening steps for VMware environments.
