Menu
Dark Mode
Cybersecurity

Brickstorm - Chinese Hackers Infiltrate VMware vSphere

The U.S. Cybersecurity and Infrastructure Security Agency, working with the NSA and Canadian Cyber Centre, disclosed a state-sponsored malware campaign targeting VMware vSphere infrastructure.

Evan Mael
Evan Mael Author
Dec 08, 2025
5 min read min read
Published December 08, 2025
Reading time 5 min read minutes
Category Cybersecurity

What Happened: Joint Cybersecurity Agency Advisory

On December 4, 2025, CISA released a comprehensive malware analysis report in coordination with the National Security Agency and Canada's Cyber Security Centre. The agencies detailed Brickstorm, a custom-developed backdoor enabling Chinese state-sponsored threat actors to establish persistent access within government and critical infrastructure networks.

The advisory emerged after investigators analyzed eight distinct Brickstorm samples discovered across victim organizations. In every case, the malware targeted VMware vSphere environments specifically, indicating a deliberate strategic focus on virtualized infrastructure central to enterprise operations.

The Attack Campaign

Evidence indicates the campaign operated successfully for extended periods. In one documented incident, attackers infiltrated a victim organization's web server in the DMZ during April 2024, then progressed laterally toward internal systems. By compromising domain controllers and an Active Directory Federation Services server, the threat actors deployed Brickstorm to a VMware vCenter server where it remained undetected until September 2025—17 months of sustained access.

This extended persistence window demonstrates the backdoor's sophistication and the attackers' ability to operate invisibly within network infrastructure designed to be highly visible to legitimate administrators.

Scope and Impact Assessment

While CISA analyzed eight confirmed samples, threat intelligence researchers estimate the actual victim count extends far higher. Organizations across critical infrastructure sectors, federal government agencies, and large IT service providers have been identified as targets. Security researchers from Google Threat Intelligence first documented the campaign publicly, initiating broader awareness across the cybersecurity community.

The advisory specifically targets critical infrastructure operators and government organizations, suggesting the attacks pursue strategic intelligence objectives rather than financial gain or operational disruption.

Technical Analysis: Architecture and Evasion Capabilities

Encryption and Obfuscation Strategy

Brickstorm employs multiple nested encryption layers to obscure communications between compromised systems and command-and-control infrastructure. The malware chains HTTPS encryption with WebSocket protocols, adds nested TLS encryption, and routes traffic through DNS-over-HTTPS (DoH) to mask command channel activity.

This encryption strategy defeats traditional network-based threat detection approaches that rely on identifying malicious traffic patterns. Even security teams analyzing network flows in real time encounter only encrypted payloads with no visible command structures or indicators of malicious activity.

Persistence Through Virtualization Manipulation

Unlike traditional malware that persists through system services or scheduled tasks, Brickstorm operates within the virtualization layer itself. The backdoor can create hidden rogue virtual machines operating invisibly alongside legitimate workloads, enabling continued access even if the host system undergoes complete operating system reinstallation.

Additionally, the malware extracts cloned snapshots of existing virtual machines, giving attackers offline access to systems' states and credentials. These snapshots bypass many security controls and enable credential extraction through offline analysis tools.

Self-Monitoring and Resilience Features

The backdoor implements automated self-monitoring logic that detects interruptions or removal attempts. If discovered and terminated, Brickstorm automatically reinstalls itself or restarts, making removal attempts ineffective without comprehensive system remediation.

This persistence mechanism explains how the malware maintained access across 17 months in one documented case despite likely detection and response attempts by the victim organization.

Cross-Platform Capability

Analysis confirms Brickstorm operates across Linux VMware environments, Windows systems, and mixed deployments. This multi-platform architecture enables comprehensive compromise of heterogeneous infrastructure where organizations run both Windows servers and VMware-based virtual machine hosts.

The Go programming language enables this cross-platform functionality with a single codebase, suggesting well-resourced malware development teams with sophisticated engineering practices.

Impact: Why This Matters to Organizations

Strategic Infrastructure Vulnerability

VMware vSphere serves as the central control point for virtualized environments in the vast majority of enterprise data centers. Compromise at this layer grants attackers god-like access to entire infrastructure: they can manipulate running virtual machines, extract sensitive data from snapshots, impersonate legitimate systems, and persist indefinitely.

For critical infrastructure sectors—energy, water, telecommunications, healthcare—vSphere compromise potentially enables both espionage and destructive operations against national security interests.

Intelligence Collection at Scale

The campaign's apparent focus on credential theft and database exfiltration suggests intelligence gathering rather than immediate destructive attacks. By maintaining persistent access and extracting Active Directory information, attackers gain comprehensive maps of organizational networks and user privileges.

This intelligence enables follow-on attacks against higher-value targets within compromised organizations or lateral moves toward connected networks and suppliers.

Extended Detection Gap

The 17-month undetected persistence window in the documented case highlights detection challenges. Many organizations lack sufficient logging, monitoring, and analytics capabilities to detect subtle backdoor activity within virtualization infrastructure.

Even organizations implementing advanced threat detection may overlook suspicious activity in VMware environments if they segregate hypervisor monitoring from broader security operations.

Expert Analysis: Sophisticated State Sponsorship

Brickstorm demonstrates characteristics of a well-resourced, state-sponsored development effort. Custom malware development, multi-layer encryption architecture, cross-platform compatibility, and virtualization-specific capabilities require substantial technical expertise and investment.

The malware's targeting of U.S. government and critical infrastructure sectors, combined with attribution to Chinese state actors, indicates strategic intelligence objectives consistent with known Chinese cyber espionage programs. The campaign appears designed for long-term presence rather than immediate exploitation.

Notably, the malware's sophistication exceeds most privately developed cybercriminal tools. Commercial malware typically prioritizes rapid financial extraction; Brickstorm prioritizes stealth and persistence—hallmarks of state-sponsored espionage operations.

The campaign's duration and scope suggest the threat community has underestimated China-linked capabilities within virtualization infrastructure. Organizations previously complacent about hypervisor security should reassess threat models immediately.

What Organizations Should Do

Immediate Actions

Conduct comprehensive scanning of VMware vCenter and ESXi hosts using CISA-provided YARA and Sigma detection rules. These standardized detection signatures enable security teams to search for Brickstorm indicators across logs, memory dumps, and file systems.

Review VMware system initialization files (including /etc/sysconfig directories on Linux-based systems) for suspicious modifications consistent with the malware's documented persistence mechanisms.

Audit all service accounts with vCenter administrative privileges. The documented attack leveraged service account credentials for lateral movement; privilege audits help identify accounts requiring immediate access revocation or password resets.

Network Segmentation and Access Control

Implement strict network segmentation preventing DMZ systems from directly accessing internal resources. The documented attack chain began with DMZ compromise then pivoted laterally to internal domain controllers. Network controls preventing this progression would have stopped the intrusion.

Block unauthorized DNS-over-HTTPS (DoH) traffic at network perimeters. Brickstorm relies on DoH to resolve command-and-control infrastructure while evading traditional DNS logging. Organizations blocking DoH traffic except to approved providers eliminate this evasion technique.

VMware Hardening

Apply all available VMware security patches to vSphere, vCenter, and ESXi installations immediately. While the advisory does not attribute the attack to specific VMware vulnerabilities, hardened systems present reduced attack surface.

Implement vCenter role-based access control (RBAC) limiting administrative capabilities to minimum required user sets. Remove default credentials and unnecessary administrative accounts from vCenter.

Enable comprehensive audit logging within VMware infrastructure, ensuring all administrative actions and object access attempts are recorded for post-incident analysis.

Detection and Monitoring

Deploy aggressive monitoring on service account activity, particularly RDP and remote management protocol traffic. Service accounts typically exhibit regular, predictable behavior; anomalies indicate potential attacker misuse.

Monitor for suspicious virtual machine creation activity, particularly VMs with unusual naming conventions, minimal resource allocation, or network configurations suggesting hidden intent.

Conclusion

Brickstorm represents an evolution in state-sponsored cyber espionage capabilities, demonstrating sophisticated targeting of virtualized infrastructure central to enterprise operations. The joint CISA, NSA, and Canadian advisory, combined with technical analysis from security vendors, confirms the campaign's continued activity and expanding scope.

Organizations must treat VMware infrastructure with the same security rigor as critical domain controllers and perimeter systems. The malware's multi-year persistence and advanced evasion capabilities mean detection and rapid response become essential rather than aspirational security goals.

The availability of CISA-developed detection tools and detailed technical analysis provides defenders with unprecedented visibility into this threat. Organizations implementing recommended defenses and detection capabilities can significantly reduce compromise likelihood.

Related reading: VMware security hardening best practices, critical infrastructure cybersecurity frameworks, and state-sponsored cyber espionage trends.

Sources

  1. CISA – Brickstorm Backdoor Malware Analysis Report (Joint with NSA and Canadian Cyber Centre) – https://media.defense.gov/2025/Dec/04/2003834878/-1/-1/0/MALWARE-ANALYSIS-REPORT-BRICKSTORM-BACKDOOR.PDF

  2. CRN – 5 Things To Know On VMware Brickstorm Attacks – https://www.crn.com/news/security/2025/5-things-to-know-on-vmware-brickstorm-attacks

  3. WMTech – CISA Warns of Chinese Brickstorm Malware Attacks on VMware Servers – https://wmtech.io/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/

  4. SafeBreach – CISA AR25-338A BrickStorm Backdoor Coverage and Analysis – https://www.safebreach.com/blog/safebreach-coverage-for-updated-cisa-ar25-338a-brickstorm-backdoor/

Tags
Cybersecurity Software VMware
About the Author
Evan Mael
Evan Mael

IT consultant specializing in cloud infrastructure and Microsoft 365 modernization, focusing on Zero Trust architecture, intelligent automation, and enterprise resilience across AI, cybersecurity, and digital transformation.

View all posts →

Related Articles

More from this category