CISA and NSA Warn of BRICKSTORM Malware Targeting VMware ESXi and Windows Systems
A new cyber threat that has drawn significant attention from the international cybersecurity community — a sophisticated malware known as BRICKSTORM — has been highlighted in a joint advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security (Cyber Centre). According to experts, this attack operation is being conducted by experienced threat groups supported by the People’s Republic of China.
BRICKSTORM — a malicious module deeply embedded into virtual infrastructure
Cybersecurity experts describe BRICKSTORM as a “backdoor designed to ensure long-term covert persistence.” Developed in the Go programming language, it employs advanced evasion techniques to avoid detection. The malware’s primary targets include:
- VMware vSphere infrastructure
- Windows server environments
- VMware ESXi and vCenter servers
BRICKSTORM integrates deeply into the virtualization layer, allowing attackers to control not only the systems but also the virtual machines running on them. Most concerning, the malware enables threat actors to steal virtual machine snapshots, potentially exposing sensitive information such as passwords and cryptographic keys.
Attack chain: stealthy access, lateral movement, and persistent control
Experts report that BRICKSTORM uses DNS-over-HTTPS (DoH) to establish communication with its command-and-control (C2) servers. This enables the malware to blend malicious traffic into regular DNS requests, significantly reducing the likelihood of detection.
Once connected to a C2 server, the malware continues communication over HTTPS, encapsulating it within an additional WebSocket + TLS layer. Inside this encrypted tunnel, it can run multiple data streams — including shell access, file transfers, and commands — using multiplexing libraries such as smux or Yamux.
Real-world example
According to the joint report, from April 2024 to September 2025, several government institutions were subjected to an extended targeted attack. The attack unfolded in the following stages:
- A vulnerable web server in the DMZ was initially compromised.
- Attackers then moved laterally, gaining access to the domain controller and ADFS server.
- Once the internal network was controlled, BRICKSTORM was deployed on the VMware vCenter server.
- Cryptographic keys were stolen from the ADFS server, enabling the creation of forged authentication tokens.
- With full access to the virtualization layer, attackers were even able to deploy invisible “rogue” virtual machines running alongside legitimate workloads.
Capabilities of BRICKSTORM
| Capability | Description |
|---|---|
| Self-recovery mechanism | A “self-watcher” feature reinstalls the malware if its process is terminated. |
| Protocol tunneling | Creates covert traffic tunnels over TCP, UDP, and even ICMP. |
| Virtual environment targeting | Certain variants use VSOCK for VM-to-VM communication without standard networking. |
| Persistent stealth | Modifies files such as /etc/sysconfig/init to survive system reboots. |
Cybersecurity recommendations
CISA, NSA, and the Canadian Cyber Centre urge all organizations to immediately check for BRICKSTORM indicators of compromise. Experts highlight the following priority actions:
1. Urgently update VMware vSphere versions
Outdated versions are highly vulnerable to deeply embedded threats like BRICKSTORM.
2. Strictly monitor or block DoH traffic
The malware uses DoH to discover its C2 infrastructure.
3. Minimize connectivity between edge devices and internal resources
Many attacks begin through vulnerabilities in DMZ environments.
4. Increase monitoring of service accounts
BRICKSTORM heavily exploited such accounts in observed incidents.
5. Conduct disk-level forensic analysis
The malware persists not only as a process but also within initialization configuration files.
BRICKSTORM exemplifies how advanced modern cyber warfare tools have become. It is capable of penetrating virtual ecosystems deeply and maintaining long-term control over targeted environments.
Government agencies, large corporations, and organizations heavily reliant on virtualization must urgently strengthen backup strategies, monitoring mechanisms, and vulnerability remediation processes.
As cyber threats continue to evolve in complexity, defensive strategies must also advance and adapt.
