US Agencies Issue Urgent Warning on Chinese BRICKSTORM Malware Targeting Critical Infrastructure

Joint Warning Issued on BRICKSTORM Malware

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security (Cyber Centre) have released a joint warning regarding a sophisticated backdoor malware named BRICKSTORM. This malware is attributed to People's Republic of China (PRC) state-sponsored cyber actors and is actively being used to target critical U.S. infrastructure. The warning, issued on December 4, 2025, highlights the urgent need for organizations to implement defensive measures against this persistent threat.

Sophisticated Backdoor Capabilities

BRICKSTORM is described as a custom Executable and Linkable Format (ELF) Go-based backdoor, with samples also identified for Windows environments, though it primarily targets VMware vSphere platforms, specifically vCenter servers and ESXi hosts. The malware enables cyber actors to maintain stealthy, long-term access and provides capabilities for initiation, persistence, and secure command and control (C2). Its advanced functionalities include:

• SOCKS proxy functionality and the ability to create a web server on compromised systems to execute commands.
• Multiple layers of encryption, such as HTTPS, WebSockets, and nested TLS, along with DNS-over-HTTPS (DoH) to conceal communications.
• A self-monitoring function that automatically reinstalls or restarts the malware if disrupted, ensuring continued operation and persistence.
• The ability to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs to evade detection.
• Deployment of malicious Java Servlet filters (BRICKSTEAL) on VMware vCenter servers to capture high-privilege credentials.

PRC state-sponsored actors have been observed using BRICKSTORM for persistent access from at least April 2024 through at least September 3, 2025.

Targeting Critical U.S. Infrastructure

The primary targets for BRICKSTORM malware include organizations within the Government Services and Facilities and Information Technology (IT) Sectors. Broader targeting has also been observed across legal services, SaaS providers, business process outsourcers, and technology firms. The actors often gain initial access by compromising perimeter and remote access infrastructure, exploiting zero-day vulnerabilities, or accessing web servers in a demilitarized zone (DMZ) before moving laterally to internal VMware vCenter servers. This activity is part of a broader pattern of Chinese state-sponsored cyber operations aimed at pre-positioning for potential disruption or sabotage of critical services in the event of heightened geopolitical tensions.

Recommendations for Mitigation

CISA, NSA, and the Cyber Centre urge organizations to take immediate action to identify and mitigate the threat posed by BRICKSTORM. Key recommendations include:

• Utilizing the Indicators of Compromise (IOCs) and detection signatures provided in the joint Malware Analysis Report.
• Implementing strong cyber hygiene practices and layered defense strategies.
• Conducting thorough assessments of environments to identify any signs of compromise.
• Monitoring networks for unusual activity, particularly DNS-over-HTTPS (DoH) or outbound traffic from appliances.
• Enforcing robust access controls, including Multi-Factor Authentication (MFA) for vCenter, and monitoring VM cloning activity.
• Reporting any detected BRICKSTORM activity or similar incidents to CISA's 24/7 Operations Center.

Officials emphasize that this advisory underscores the significant threats posed by the People's Republic of China, which create ongoing cybersecurity exposures and costs for the United States and its allies.