CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

Recorded: Dec. 4, 2025, 8:02 p.m.

Original

News

Featured
Latest

North Korea lures engineers to rent identities in fake IT worker scheme

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

Microsoft "mitigates" Windows LNK flaw exploited as zero-day

University of Phoenix discloses data breach after Oracle hack

Russia blocks FaceTime and Snapchat over use in terrorist attacks

Create compliance docs with this $40 governance & cybersecurity bundle

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

Contractors with hacking records accused of wiping 96 govt databases

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityCISA warns of Chinese "BrickStorm" malware attacks on VMware servers

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

By Sergiu Gatlan

December 4, 2025
01:19 PM
0

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned network defenders of Chinese hackers backdooring VMware vSphere servers with Brickstorm malware.
In a joint malware analysis report with the National Security Agency (NSA) and Canada's Cyber Security Centre, CISA says it analyzed eight Brickstorm malware samples.
These samples were discovered on networks belonging to victim organizations, where the attackers specifically targeted VMware vSphere servers to create hidden rogue virtual machines to evade detection and steal cloned virtual machine snapshots for further credential theft.
As noted in the advisory, Brickstorm uses multiple layers of encryption, including HTTPS, WebSockets, and nested TLS to secure communication channels, a SOCKS proxy for tunneling and lateral movement within compromised networks, and DNS-over-HTTPS (DoH) for added concealment. To maintain persistence, Brickstorm also includes a self-monitoring function that automatically reinstalls or restarts the malware if interrupted.
While investigating one of the incidents, CISA found that Chinese hackers compromised a web server in an organization's demilitarized zone (DMZ) in April 2024, then moved laterally to an internal VMware vCenter server and deployed malware.
The attackers also hacked two domain controllers on the victim's network and exported cryptographic keys after compromising an Active Directory Federation Services (ADFS) server. The Brickstorm implant allowed them to maintain access to the breached systems from at least April 2024 through September 2025.
After obtaining system access, they've also been observed capturing Active Directory database information and performing system backups to steal legitimate credentials and other sensitive data.

Hackers' lateral movement in the victim's network (CISA)
To detect the attackers' presence on their networks and block potential attacks, CISA advises defenders (especially those working for critical infrastructure and government organizations) to scan for Brickstorm backdoor activity using agency-created YARA and Sigma rules, and block unauthorized DNS-over-HTTPS providers and external traffic.
They should also take inventory of all network edge devices to monitor for suspicious activity and segment the network to restrict traffic from demilitarized zones to internal networks.
"CISA, NSA, and Cyber Centre urge organizations to use the indicators of compromise (IOCs) and detection signatures in this Malware Analysis Report to identify BRICKSTORM malware samples," the joint advisory urges. "If BRICKSTORM, similar malware, or potentially related activity is detected, CISA and NSA urge organizations to report the activity as required by law and applicable policies."
Today, cybersecurity firm CrowdStrike also linked Brickstorm malware attacks targeting VMware vCenter servers on the networks of U.S. legal, technology, and manufacturing companies throughout 2025 to a Chinese hacking group it tracks as Warp Panda. CrowdStrike observed the same threat group deploying previously unknown Junction and GuestConduit malware implants in VMware ESXi environments.
The joint advisory comes on the heels of a Google Threat Intelligence Group (GTIG) report published in September that described how suspected Chinese hackers used the Brickstorm malware (first documented by Google subsidiary Mandiant in April 2024) to gain long-term persistence on the networks of multiple U.S. organizations in the technology and legal sectors.
Google security researchers linked these attacks to the UNC5221 malicious activity cluster, known for exploiting Ivanti zero-days to target government agencies with custom Spawnant and Zipline malware.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
SmartTube YouTube app for Android TV breached to push malicious updateMicrosoft: SesameOp malware abuses OpenAI Assistants API in attacksCISA and NSA share tips on securing Microsoft Exchange serversCISA orders feds to patch VMware Tools flaw exploited by Chinese hackersFake Microsoft Teams installers push Oyster malware via malvertising

Backdoor
Brickstorm
Canada
CISA
Malware
NSA
VMware

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article
Next Article

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Marquis data breach impacts over 74 US banks, credit unions

Glassworm malware returns in third wave of malicious VS Code packages

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Overdue a password health-check? Audit your Active Directory for free

Empowering IT teams with intelligence driven cyber threat research.

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the National Security Agency (NSA) and Canada’s Cyber Security Centre, has issued a critical malware analysis report detailing a sophisticated Chinese hacking campaign targeting VMware vSphere servers. This campaign, spearheaded by the threat actor group tracked as Warp Panda, utilized a backdoor malware strain known as Brickstorm. The objective of this operation was to establish long-term persistence within victim organizations, specifically leveraging VMware’s virtualization platform to create hidden rogue virtual machines. These VMs were designed to evade detection and, crucially, to facilitate the cloning of virtual machine snapshots – a technique used for extracting and stealing credential data.

The Brickstorm malware demonstrated a layered approach to security, incorporating advanced obfuscation techniques such as HTTPS, WebSockets, and Nested TLS to secure communication channels. Further complicating detection efforts, the malware utilized a SOCKS proxy for lateral movement across compromised networks, accompanied by DNS-over-HTTPS (DoH) to mask network traffic. A key element of the Brickstorm implant was a self-monitoring function that automatically restarted the malware if it encountered interruptions, ensuring continued operation.

The initial discovery of the Brickstorm campaign occurred in April 2024, when CISA investigators identified the malware deployed within the Demilitarized Zone (DMZ) of a victim organization’s network. From this entry point, the attackers initiated lateral movement, ultimately compromising a VMware vCenter server. Simultaneously, they targeted and successfully breached two domain controllers within the victim’s network and exploited a vulnerable Active Directory Federation Services (ADFS) server to extract cryptographic keys. This sustained access, spanning from April 2025 through September 2025, allowed the attackers to consolidate a significant volume of sensitive data. Observations included the theft of Active Directory database information and the execution of system backups, further amplifying the scope of the data exfiltration.

To mitigate the threat posed by Brickstorm and similar malware, CISA, alongside the NSA and Cyber Centre, issued specific recommendations for defenders, particularly those safeguarding critical infrastructure and government organizations. These recommendations centered on comprehensive scanning utilizing agency-developed YARA and Sigma rules, as well as proactive monitoring of network edge devices. Network segmentation, restricting traffic from the DMZ to internal networks, was also advised. Furthermore, vigilance regarding unauthorized DNS-over-HTTPS (DoH) providers and external traffic was emphasized, alongside scrutinizing for any signs of Brickstorm.

The findings of this report were corroborated by additional intelligence from CrowdStrike, who likewise observed Warp Panda deploying Junction and GuestConduit malware implants within VMware ESXi environments, indicating a sustained and adaptable adversary. Google Threat Intelligence Group (GTIG) had previously identified the Brickstorm malware, first documented by Mandiant in April 2024, employed by suspected Chinese hackers linked to the UNC5221 malicious activity cluster. This cluster was known for exploiting Ivanti zero-days to target government agencies using custom-developed Spawnant and Zipline malware.

The Brickstorm campaign underscores the evolving sophistication of cyberattacks and the critical need for robust security measures within virtualized environments. The multi-layered nature of the malware – including encryption, proxy tunneling, and persistent self-monitoring – demonstrates a deliberate strategy designed to evade traditional security controls and maintain persistent access to compromised systems. This analysis highlights the importance of continuous monitoring, proactive threat hunting, and adaptation of security practices to address emerging cyber threats, particularly those originating from state-sponsored actors like Warp Panda.