CISA, NSA warn of China’s BRICKSTORM malware after incident response efforts

Steven

CISA, NSA warn of China’s BRICKSTORM malware after incident response efforts

Summary

U.S. and Canadian cyber authorities — CISA, the NSA and the Canadian Centre for Cyber Security — released an advisory on BRICKSTORM, a stealthy backdoor tied to PRC state-sponsored actors. The guidance draws on analysis of multiple samples and an incident response engagement where attackers established long-term access by abusing VMware vSphere/vCenter and Windows infrastructure.

BRICKSTORM is used to steal credentials, create hidden virtual machines, persist on systems (it will reinstall or restart itself if disrupted) and enable lateral movement. CrowdStrike and Mandiant have separately tracked intrusions tied to the same campaign, noting targeting of government and IT sectors, and repeated efforts to stage data for exfiltration and access senior leaders’ mailboxes.

Author take

Punchy and direct: this isn’t opportunistic malware — it’s tailored for persistence and intelligence collection. If you run VMware vCenter, ADFS or Active Directory in your environment, drop what you’re doing and check the advisory’s IoCs.

Key Points

  • BRICKSTORM is a sophisticated, stealthy backdoor linked to PRC state-sponsored cyber actors.
  • Attackers primarily target VMware vSphere/vCenter and Windows environments, abusing ADFS and domain controllers.
  • The malware enables credential theft, creation of hidden virtual machines, file manipulation and lateral movement.
  • It includes a “self-watching” capability that reinstalls or restarts the malware if disrupted, supporting long-term persistence.
  • CrowdStrike and Mandiant have observed multiple intrusions dating back to 2023–2025, affecting governments, legal firms, SaaS providers and tech companies.
  • The campaign focuses on intelligence collection and stealing sensitive IP and senior leaders’ emails; data-staging for exfiltration has been observed.
  • CISA, NSA and partners published indicators of compromise and detections organisations should use to check for infection and respond.

Context and relevance

This advisory sits within an ongoing trend of state-sponsored campaigns targeting infrastructure components that grant broad access (VMware, domain controllers, ADFS). The level of persistence and the use of hidden VMs increase the difficulty of detection and remediation — making BRICKSTORM a high-risk threat for public-sector networks and critical infrastructure, and for private organisations holding valuable IP or sensitive communications.

Organisations should assume long dwell times are possible and follow the advisory: review VMware vCenter and ADFS logs, hunt for the provided IoCs, rotate and protect cryptographic keys if ADFS or domain controllers were touched, and plan for incident response that includes rebuilding compromised hosts where necessary.

Why should I read this?

Look — if you care about keeping your network and data safe, this is important. BRICKSTORM is built to stick around and hide. If you run VMware or Windows AD/ADFS, the advisory gives concrete IoCs and steps you can use right now to check for compromise and stop the attackers from sticking their toes deeper into your systems.

Source

Source: https://therecord.media/cisa-nsa-warn-brickstorm-china