Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Home/Threats/CISA Releases BRICKSTORM Malware Report with New YARA Rules for VMware vSphere
Threats

CISA Releases BRICKSTORM Malware Report with New YARA Rules for VMware vSphere

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a malware analysis report on BRICKSTORM, a sophisticated backdoor linked to Chinese state-sponsored cyber operations. Released...

Jennifer sherman
Jennifer sherman
January 21, 2026 3 Min Read
29 0

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a malware analysis report on BRICKSTORM, a sophisticated backdoor linked to Chinese state-sponsored cyber operations.

Released in December 2025 and updated through January 2026, the report identifies this threat targeting VMware vSphere platforms, specifically vCenter servers and ESXi environments.

Organizations in government services and information technology sectors face the highest risk from these attacks.

BRICKSTORM represents a serious threat because it enables attackers to maintain long-term access to compromised systems without detection.

The malware primarily affects virtualized environments, where it can remain hidden while threat actors steal sensitive data, clone virtual machines, and move laterally through networks.

Once installed, BRICKSTORM operates silently in the background, automatically reinstalling itself if removed.

The report examines eleven malware samples discovered across victim organizations. Eight samples were built using the Go programming language, while three newer variants use Rust.

CISA analysts identified BRICKSTORM during an incident response investigation where threat actors maintained persistent access to a victim organization from April 2024 through September 2025.

During this compromise, attackers accessed domain controllers and compromised an Active Directory Federation Services server to export cryptographic keys.

Infection and Persistence Mechanisms

BRICKSTORM gains initial access through compromised web servers located in demilitarized zones.

Attackers upload the malware to VMware vCenter servers after moving laterally through networks using stolen service account credentials and Remote Desktop Protocol connections.

PRC State-Sponsored Cyber Actors’ Lateral Movement (Source - CISA)
PRC State-Sponsored Cyber Actors’ Lateral Movement (Source – CISA)

The malware installs itself in system directories like /etc/sysconfig/ and modifies initialization scripts to execute during system startup.

The backdoor maintains persistence through built-in self-monitoring capabilities that continuously verify whether BRICKSTORM remains active.

If the malware detects it has stopped running, it automatically reinstalls and restarts itself from predefined file paths.

This self-healing mechanism ensures attackers maintain access even if security teams attempt removal.

BRICKSTORM establishes encrypted connections to command-and-control servers using DNS-over-HTTPS through legitimate public resolvers from Cloudflare, Google, and Quad9.

This technique conceals malicious traffic within normal encrypted communications. The malware upgrades initial HTTPS connections to secure WebSocket sessions with multiple nested encryption layers.

BRICKSTORM Operational Flow, Malware Initiation (Source - CISA)
BRICKSTORM Operational Flow, Malware Initiation (Source – CISA)

Through these connections, attackers gain interactive command-line access, browse file systems, upload and download files, and establish SOCKS proxies for lateral movement.

To support detection and removal efforts, CISA released six YARA rules and one Sigma rule specifically designed to identify BRICKSTORM samples.

These detection signatures target unique code patterns and behavioral characteristics found across different malware variants.

CISA urges organizations to immediately report any BRICKSTORM detections and apply recommended mitigations including upgrading VMware vSphere servers, implementing network segmentation, and blocking unauthorized DNS-over-HTTPS providers.

Moreover, the lateral movement shows the PRC state-sponsored cyber actors’ progression from web server through domain controllers to VMware vCenter server.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Everest Ransomware Group Allegedly Claims to Have Breached McDonald’s India

Next Post

Azure Private Endpoint Deployments Exposes Azure Resources to DoS Attack

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us