CISA/NSA Warn of BRICKSTORM Backdoor: China APT Targets VMware and ADFS for Long-Term Espionage

A new and sophisticated malware threat has emerged from the shadows of state-sponsored cyber espionage. The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA) and the Canadian Centre for Cyber Security (Cyber Centre), has released a detailed analysis of BRICKSTORM, a custom backdoor used by actors linked to the People’s Republic of China (PRC).

BRICKSTORM is not a run-of-the-mill exploit; it is a tool designed for endurance. According to the report, “PRC state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems”.

The malware specifically targets high-value environments: VMware vSphere (including vCenter servers and ESXi) and Windows systems. This focus on virtualization infrastructure is strategic. “Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs”.

What sets BRICKSTORM apart is its resilience. The malware is built to survive disruptions and evade detection. It employs a “self-watching function” that monitors its own health; if the process is terminated, it “automatically reinstalls or restarts if disrupted”.

To hide its tracks, BRICKSTORM uses advanced communication techniques. It nests its traffic within multiple layers of encryption—HTTPS, WebSockets, and nested TLS—and even mimics legitimate web server traffic. “It also uses DNS-over-HTTPS (DoH) and mimics web server functionality to blend its communications with legitimate traffic”.

The report details a specific incident where BRICKSTORM was deployed. The attack began with a web shell on an external-facing server. From there, the actors moved laterally through the network, eventually compromising a domain controller and an Active Directory Federation Services (ADFS) server.

The result was a total compromise: “They successfully compromised the ADFS server and exported cryptographic keys”. This access allowed the actors to maintain a foothold in the victim’s network for nearly 18 months, from April 2024 through September 2025.

CISA and its partners are urging organizations, particularly in the government and IT sectors, to hunt for this threat immediately. The advisory includes specific Indicators of Compromise (IOCs) and YARA rules to aid in detection.

Related Posts:

• BRICKSTORM Malware: China-Linked Hackers Stealthily Target US Tech and Legal Firms for 393 Days
• BRICKSTORM Backdoor Targets European Industries
• A New Home for Gemini: Google Unveils Next-Gen Smart Home Devices
• Gemini Arrives: Is a New Era for the Smart Home Coming?