brickstorm malware china
Categories

CISA Warns Chinese Hackers Are Using Brickstorm to Stay Hidden in US Networks

The latest CISA alert marks one of the clearest and most urgent warnings issued this year about sustained Chinese cyber operations inside the United States. According to the advisory, state-sponsored operators linked to the People’s Republic of China have been conducting ongoing intrusions using Brickstorm, a highly advanced backdoor designed to infiltrate VMware vSphere environments and Windows systems while remaining almost completely invisible to defenders. The scope of these intrusions, the stealth techniques involved, and the targeting of public sector and information technology infrastructure suggest a long-running espionage campaign focused on credential theft, data access, and operational positioning inside sensitive American networks.

Brickstorm is not a typical backdoor. It is a long-term persistence framework built specifically for environments where traditional endpoint detection and response tools are blind, especially virtualized infrastructure. The malware leverages techniques that allow operators to remain hidden for months or even years, making it extremely difficult for defenders to detect or eradicate. The capability set described by CISA and partner agencies paints a picture of an actor that is not simply trying to achieve access but attempting to secure a durable foothold for prolonged intelligence collection.

CISA’s latest advisory is grounded in real incident response engagements, including at least one confirmed intrusion where Chinese operators accessed a publicly exposed web server in the organization’s demilitarized zone, pivoted deeper into the environment, compromised a VMware vCenter server, and deployed Brickstorm to maintain persistent access. Other samples analyzed by the National Security Agency and the Canadian Cyber Security Centre reveal that Brickstorm continues to evolve, with multiple variants implementing new evasion layers, new command and control mechanisms, and new persistence techniques.

This article provides a full technical and strategic breakdown of the threat, the actors behind it, the implications for US networks, and the defensive actions organizations should be taking immediately.

What Brickstorm Actually Is

Brickstorm is a Go-based modular backdoor designed for environments where stealth is more important than speed. Its architecture allows operators to deploy it on systems that typically fall outside the coverage of standard security monitoring, such as VMware hypervisors, vCenter servers, and other appliance-like platforms that do not run traditional endpoint agents.

The malware includes several capabilities that make it uniquely suited for long-term espionage:

  • Multiple encryption layers for command and control, including HTTPS, WebSockets, and nested TLS.
  • DNS-over-HTTPS communications that blend inbound and outbound traffic with legitimate encrypted DNS traffic.
  • A built-in SOCKS proxy that enables operators to pivot inside internal networks without exposing their true origin.
  • Long-term persistence features, including self-monitoring logic that automatically reinstalls or restarts the malware if administrators attempt to remove it.
  • Cross-platform compatibility, with variants observed for VMware environments, Linux-based appliances, and Windows systems.

In every case studied by CISA, NSA, and Mandiant, the operators deployed Brickstorm only after gaining administrative-level access, indicating that the malware is used to preserve access after successful compromise, not as an initial infection mechanism.

How Chinese Operators Are Gaining Entry

CISA reports that the initial access vector varies between victims but consistently involves exposed or poorly segmented infrastructure, particularly in the DMZ. In one confirmed intrusion, threat actors compromised a web server, used service account credentials to move laterally through the DMZ, then accessed an internal domain controller before finally reaching the VMware environment.

This sequence reflects a broader pattern in Chinese intrusion operations. Rather than attacking the most insulated systems directly, operators focus on edge servers, remote access systems, and virtualization platforms. Once operators reach a vCenter server, they gain access to one of the most powerful and least-monitored control planes in enterprise networks.

From vCenter, they have the ability to:

  • Create cloned virtual machine snapshots containing sensitive credential material.
  • Extract Active Directory databases offline.
  • Create hidden or rogue virtual machines that do not appear in standard management dashboards.
  • Modify startup configurations to launch Brickstorm during system boot.

The use of cloned VM snapshots is one of the most concerning elements highlighted in both the CISA alert and independent research. By cloning domain controllers or identity servers, operators can extract credential stores without ever triggering Windows-based security logging.

Brickstorm’s Stealth Features

Brickstorm’s design reflects a deep understanding of how virtualization infrastructure is monitored, or more accurately, how it is not monitored. Most organizations treat hypervisors and management consoles as infrastructure rather than endpoints, meaning they do not run EDR agents, behavioral detection systems, or fine-grained file integrity tools. This allows Brickstorm to operate in a space often overlooked by blue teams.

Some of Brickstorm’s stealth features include:

  • Masquerading as legitimate system processes or VMware binaries.
  • Using sed modifications to inject malicious startup commands into legitimate init scripts.
  • Deploying web shells on vCenter appliances to enable backup remote access paths.
  • Randomizing or frequently rotating command and control domains, ensuring indicators become obsolete quickly.
  • Relying on encrypted protocols that blend with routine administration traffic.

CISA notes that in several incidents, operators maintained access for extended periods before discovery. In one Mandiant investigation, intruders maintained persistence for more than 390 days.

Why VMware vSphere Is the Prime Target

VMware remains a dominant virtualization platform across federal agencies, state governments, Fortune 500 companies, telecom networks, military contractors, and critical infrastructure. This makes it a high-value target. Compromise of vSphere is roughly equivalent to compromising the physical network itself.

Key reasons Brickstorm targets VMware environments include:

  • vCenter is a central control point, providing broad visibility and access over enterprise workloads.
  • vSphere hosts often run mission-critical systems that cannot be easily updated or rebooted.
  • ESXi hosts do not support traditional antivirus or EDR solutions.
  • Many organizations underestimate the security risk of virtual infrastructure.

A single compromised vCenter instance allows operators to access entire networks with little resistance.

The Threat Actor Behind Brickstorm

CISA does not formally attribute the malware to a specific Chinese threat group, but the operational characteristics are consistent with multiple China-nexus clusters previously identified by Mandiant, CrowdStrike, and other threat intelligence vendors.

Mandiant has attributed Brickstorm activity to UNC5221, a suspected China-aligned cluster involved in operations targeting legal services, cloud providers, technology firms, and organizations aligned with US national security interests. CrowdStrike recently highlighted a similar threat group it calls Warped Panda, which it identified in several intrusions involving Brickstorm and VMware targeting.

China-backed operators frequently mix tactics, sharing tools, infrastructure, and access pathways across clusters. What unifies these operations is strategic intent: long-term espionage, credential theft, and preparation for broader access into downstream networks.

What CISA Says Defenders Must Do Now

CISA’s guidance is unusually direct, signaling the level of concern surrounding Brickstorm. The agency urges organizations to initiate threat hunting immediately rather than wait for indicators to surface. Because Brickstorm is designed to evade traditional detection, defenders must rely on behavioral analysis, asset inventory, and network monitoring.

Key recommendations include:

  • Scan for Brickstorm using CISA’s YARA and Sigma rules.
  • Block all unauthorized DNS-over-HTTPS providers and external DoH traffic.
  • Inventory every device at the network edge, including appliances and virtual infrastructure.
  • Implement strict segmentation to prevent the DMZ from communicating laterally into internal networks.
  • Monitor ESXi and vCenter logs for signs of SSH enablement, cloning activity, or new local account creation.
  • Restrict outbound internet traffic from VMware hosts to the minimum required for operations.

Notably, CISA emphasizes the need to treat edge devices as equal to endpoints in security posture, something many organizations still overlook.

The Strategic Implications for the United States

Brickstorm represents a broader shift in Chinese cyber operations. Rather than launching overt, disruptive attacks, Chinese state-backed operators increasingly prioritize access operations that enable long-term intelligence collection. The compromise of US public-sector and technology networks provides insights into policy, diplomacy, infrastructure, and software supply chains.

The targeting of virtualization infrastructure is particularly significant. By compromising hypervisors and management consoles, an adversary can undermine the foundational layer of modern computing. This form of access provides:

  • Visibility into sensitive workloads.
  • The ability to extract credentials and secrets without endpoint detection.
  • Opportunities to pivot into third-party environments managed by the victim organization.
  • The potential to influence or manipulate hosted data or system states.

For federal agencies and critical sectors, this is not merely an operational risk. It is a national security issue.

The Reality of Persistent Chinese Cyber Operations

Everything described by CISA aligns with a long-known trend: Chinese operators invest heavily in endurance. Their goal is not quick wins or headline-making disruptions. Instead, they focus on establishing robust, resilient, and unmonitored footholds. Brickstorm is the embodiment of this philosophy.

The deployment of web shells, cloned VMs, credential harvesting, and long-term infrastructure access all point to strategic intelligence objectives rather than financially motivated attacks. These campaigns seek to gather political insights, intellectual property, authentication material, and operational knowledge that can assist China’s geopolitical ambitions.

Why Organizations Must Treat This Alert Seriously

Brickstorm is not a commodity backdoor. It is the product of a well-resourced state actor capable of exploiting complex, high-value systems. Defenders cannot rely on passive detection. They must actively hunt for anomalies in their virtualization ecosystem, examine access logs, and validate the configuration integrity of their hypervisors.

Any organization running VMware vSphere, particularly those in government, defense, technology, telecommunications, cloud hosting, or managed services, should assume they are a potential target.

The Escalating Risk to US Networks

CISA’s warning is unambiguous. Chinese operators are actively deploying Brickstorm across US networks, and the campaign shows no signs of slowing. The malware’s stealth, adaptability, and focus on virtualization infrastructure place it among the most capable espionage tools currently in circulation.

Defenders can no longer rely on traditional perimeter monitoring or assume that core systems are insulated from exposure. The threat actor behind Brickstorm is disciplined, well-resourced, and aligned with long-term strategic objectives. Effective mitigation requires continuous vigilance, strict network segmentation, comprehensive logging, and proactive threat hunting across both appliance-level and virtualization environments.

For more coverage of major cybersecurity threats, national-level intrusion activity, and updates on advanced persistent campaigns, visit Botcrawl’s growing archive of cybersecurity research in the cybersecurity and malware sections.

Written by

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

More Reading

Post navigation

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.