CISA Alerts on Persistent Brickstorm Backdoor Attacks Targeting VMware Environments

Listen to this Post

Featured Image
The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about ongoing cyber intrusions involving the sophisticated Brickstorm backdoor, with state-sponsored actors linked to China targeting VMware vSphere environments across government and technology sectors. These attacks demonstrate advanced tactics aimed at long-term stealth access, exploiting vulnerabilities in enterprise virtualization platforms to gain deep network footholds and harvest critical credentials.

Persistent Threats in VMware Environments

CISA’s recent alert highlights a sustained campaign by PRC-affiliated threat actors focusing on VMware vSphere deployments. The attacks leverage the Brickstorm backdoor, a Go-based malware capable of self-monitoring and automatic recovery if disrupted. Once inside, attackers exploit vCenter management consoles to steal cloned virtual machine snapshots and create hidden rogue VMs, granting full control over the virtual environment.

The alert was issued alongside a joint malware analysis report by CISA, the US National Security Agency (NSA), and the Canadian Cyber Security Centre, which examined eight collected Brickstorm samples. Originally identified by Google’s Mandiant in 2024 after exploiting Ivanti zero-day vulnerabilities, Brickstorm demonstrates multiple stealth and communication mechanisms, including nested TLS, WebSockets, HTTPS, and DNS-over-HTTPS (DoH), blending malicious traffic with legitimate network operations.

Attack Techniques and Lateral Movement

The report details a recent attack incident in which PRC-linked actors initially accessed a victim network via a web server in the demilitarized zone (DMZ) on April 11, 2024. Using discovered service account credentials, the attackers moved laterally through Remote Desktop Protocol (RDP) to domain controllers, accessed Active Directory (AD) databases, and obtained managed service provider (MSP) account credentials.

From the compromised MSP account, attackers reached VMware vCenter servers and pivoted further to an Active Directory Federation Services server. Through Server Message Block (SMB) exploitation, they exfiltrated cryptographic keys, maintaining network access for nearly 17 months until September 2, 2025. The attackers’ use of stealthy lateral movement, credential harvesting, and VM snapshot theft underscores their high level of sophistication and persistence.

Brickstorm’s Advanced Capabilities

Brickstorm’s architecture allows it to maintain persistent access while evading detection. Its self-monitoring and auto-reinstallation features make removal challenging, while its use of encrypted communication channels masks command-and-control traffic. The malware also provides interactive shell access, enabling threat actors to execute arbitrary commands, manipulate VMs, and escalate privileges throughout the network.

Defensive Measures and Mitigation

CISA and other agencies recommend robust defenses against Brickstorm attacks. Key measures include:

Keeping VMware vSphere servers up to date and maintaining comprehensive inventories of edge devices.

Disabling RDP and SMB access from the DMZ to internal networks.

Restricting service account permissions and monitoring their use closely.

Blocking unauthorized DoH traffic and providers.

CrowdStrike additionally advises monitoring for unsanctioned VM creation, limiting outbound Internet access from VMware instances, and disabling SSH access to ESXi hosts when possible. Organizations should view these measures as essential components of a layered cybersecurity strategy to prevent long-term network compromise.

What Undercode Say:

The Brickstorm attacks illustrate a convergence of several sophisticated cyber techniques designed to maximize persistence and stealth. Unlike opportunistic malware, these state-sponsored intrusions reflect careful planning, targeting the core virtualization infrastructure that underpins enterprise IT operations. VMware vSphere, widely deployed in government and technology organizations, provides a high-value attack surface because compromise allows attackers to manipulate multiple virtual machines, extract credentials, and access sensitive organizational data without immediate detection.

The multi-step intrusion chain observed—from initial web server access to Active Directory and vCenter compromise—reveals the attackers’ operational patience and their deep understanding of enterprise environments. Each stage of lateral movement leverages legitimate administrative tools and protocols, blurring the line between normal activity and malicious behavior. Brickstorm’s use of DoH and encrypted channels further complicates detection by traditional network monitoring solutions, highlighting the need for specialized traffic analysis and anomaly detection tools.

The advisory also signals a broader trend: nation-state actors are increasingly focusing on supply chain and virtualization platforms, recognizing that controlling virtualized environments can yield broader strategic leverage. The absence of a specific threat group attribution underscores the difficulty in tying advanced persistent threats (APTs) to individual actors, as multiple PRC-linked groups could exploit similar tactics, techniques, and procedures (TTPs).

Organizations must adopt a proactive security posture. Beyond patching and access controls, network segmentation, continuous monitoring, and rapid incident response capabilities are critical. Incident investigations should include forensic analysis of VM snapshots and audit logs to detect unauthorized access early. The fact that attackers maintained access for over a year underscores the importance of resilience planning and the ability to remediate stealthy compromises before significant damage occurs.

The Brickstorm case also exemplifies how advanced malware can evolve in real-time. Its self-healing mechanisms and multi-layered encryption suggest that conventional signature-based detection is insufficient. Organizations need adaptive, behavior-based defenses, including endpoint detection and response (EDR), anomaly detection, and threat-hunting teams capable of correlating subtle indicators of compromise across complex environments.

Ultimately, these attacks serve as a cautionary tale: enterprise virtualized environments are not inherently secure. They require constant vigilance, disciplined account management, and rigorous monitoring. As cyber threats grow more sophisticated, organizations must anticipate state-sponsored tactics that exploit both software vulnerabilities and human error, making comprehensive cybersecurity strategy indispensable.

Fact Checker Results

✅ Brickstorm is confirmed as a Go-based backdoor with advanced persistence and communication features.
✅ PRC-linked actors have targeted VMware vSphere environments, particularly in US government and technology sectors.
❌ The alert does not attribute attacks to a specific named group, although CrowdStrike links some intrusions to the Warped Panda group.

Prediction

📊 The threat landscape for virtualization platforms will continue to escalate, with state-sponsored actors increasingly targeting VMware and other hypervisors. Organizations not adopting proactive monitoring and segmentation may face prolonged breaches, while those implementing comprehensive hardening and behavior-based detection could significantly reduce risk exposure. Future attacks may combine zero-day exploits, AI-driven lateral movement, and deeper integration with cloud-based virtual environments, making continuous adaptation essential.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.darkreading.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon