THE CORTEX PROTOCOL
🏠Home🚨Threats🧠Insights📚Books
🔴 HIGHintel

BRICKSTORM Malware Backdoors VMware vSphere Environments

Category:Threat Alerts
BRICKSTORM malware is being used by People's Republic of China state-sponsored actors to achieve long-term persistence and remote control inside VMware vSphere and other virtualized environments, with CISA and NSA issuing a joint advisory based on incident response engagements. What's clever: attackers compromise vCenter servers, extract credentials, create hidden virtual machines for lateral movement, and export ADFS cryptographic keys—enabling them to forge authentication tokens across the entire domain. The malware has a "self-watching" function that automatically reinstalls or restarts if disrupted. CISA confirmed one victim organization had persistent access since April 2024. Crowdstrike tracked multiple U.S. intrusions throughout 2025, with one case showing access dating back to 2023. Targets include government and IT sectors in North America and Asia-Pacific. Mandiant attributes the campaign to threat actors who previously abused Ivanti firewall vulnerabilities.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: BRICKSTORM compromises the virtualization layer that underpins entire data centers, enabling PRC state-sponsored actors to surveil, manipulate, or disrupt large numbers of workloads from a single backdoor. This creates outsized risk for governments, critical infrastructure, and major IT providers whose vSphere environments host sensitive data and services for themselves and their customers.

Strategic Intelligence Guidance

  • Isolate VMware vCenter and ESXi management interfaces onto dedicated admin networks, enforcing MFA and strict identity controls for all administrative access.
  • Apply the latest VMware security patches and hardening guides, and validate that no internet-facing management services remain exposed without compensating controls.
  • Ingest virtualization logs into SIEM and hunt for BRICKSTORM indicators, anomalous commands, and unexpected administrative sessions or API calls on management hosts.
  • Elevate virtualization platforms into your high-value asset inventory, including them in regular threat-hunting cycles, EDR coverage, and tabletop exercises focused on hypervisor compromise.

Vendors

VMwareBroadcomCISANSA

Threats

BRICKSTORM malwarePRC state-sponsored intrusion

Targets

VMware vSphere environmentspublic sector IT systemsmanaged service providers

Tags

#brickstorm#vmware#prc-apt#virtualization-security#threat-intelligence#cisa-advisory
Intelligence Source: BRICKSTORM Malware Backdoors VMware vSphere Environments | Dec 5, 2025
More stories in Threat Intelligence