CISA Alerts: Chinese “BrickStorm” Malware Targets VMware Servers
▼ Summary
– CISA, the NSA, and Canada’s Cyber Security Centre warn that Chinese hackers are using Brickstorm malware to backdoor VMware vSphere servers.
– The malware creates hidden virtual machines to evade detection and uses encrypted channels and DNS-over-HTTPS for stealthy communication and movement.
– In one incident, attackers breached a DMZ web server in April 2024, moved to a vCenter server, and maintained access through at least September 2025.
– The advisory provides detection rules and urges network segmentation and monitoring to defend against this threat.
– Cybersecurity firms CrowdStrike and Google have linked these attacks to Chinese groups Warp Panda and UNC5221, targeting U.S. sectors like technology and legal.
A critical cybersecurity alert has been issued concerning a sophisticated Chinese-linked malware campaign targeting essential virtualization infrastructure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA) and Canada’s Cyber Security Centre, has detailed a threat known as “Brickstorm.” This malicious software is designed to infiltrate and backdoor VMware vSphere servers, creating hidden virtual machines to operate undetected. The primary goal is to steal cloned virtual machine snapshots, which attackers then use to harvest credentials and facilitate further network compromise.
The malware employs advanced techniques to avoid discovery. It uses multiple layers of encryption for its communications, including HTTPS, WebSockets, and nested TLS. For movement within a compromised network, it leverages a SOCKS proxy, and it uses DNS-over-HTTPS (DoH) to conceal its command-and-control traffic. Brickstorm also features a self-monitoring function that automatically reinstalls or restarts the malware if its operation is interrupted, ensuring persistent access for the threat actors.
In one documented incident from April 2024, attackers initially breached a web server located in an organization’s demilitarized zone (DMZ). From there, they moved laterally to an internal VMware vCenter server to deploy the Brickstorm implant. The hackers’ access was maintained from at least April 2024 through September 2025. During this prolonged period, they compromised two domain controllers and an Active Directory Federation Services (ADFS) server, exporting cryptographic keys. They were also observed capturing Active Directory database information and performing system backups to exfiltrate legitimate credentials and other sensitive data.
To defend against this threat, CISA provides specific guidance. Network defenders, particularly those in critical infrastructure and government sectors, are advised to scan for Brickstorm activity using agency-provided YARA and Sigma detection rules. Organizations should also block unauthorized DNS-over-HTTPS providers and external traffic, take a full inventory of network edge devices, and implement network segmentation to restrict traffic flow from DMZs to internal networks. The agencies strongly urge using the published indicators of compromise and reporting any detected activity as required.
This advisory aligns with findings from private cybersecurity firms. CrowdStrike has linked these Brickstorm attacks targeting U.S. legal, technology, and manufacturing firms throughout 2025 to a Chinese hacking group it tracks as Warp Panda. The group was also seen deploying other novel malware, named Junction and GuestConduit, within VMware ESXi environments. Furthermore, Google’s Threat Intelligence Group previously documented how suspected Chinese hackers used Brickstorm, first identified by Mandiant in April 2024, to achieve long-term persistence on U.S. technology and legal sector networks, attributing the activity to a cluster known as UNC5221.
(Source: Bleeping Computer)
