Chinese State-Sponsored Hackers Exploit BRICKSTORM Backdoor to Infiltrate U.S. Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently unveiled details about a sophisticated backdoor named BRICKSTORM, utilized by state-sponsored threat actors from the People’s Republic of China (PRC) to establish long-term access within compromised systems.
BRICKSTORM is a custom implant written in Golang, designed to target VMware vSphere and Windows environments. This malware provides attackers with interactive shell access, enabling them to browse, upload, download, create, delete, and manipulate files on the infected systems. Its versatility is further demonstrated by its support for multiple protocols, including HTTPS, WebSockets, and nested Transport Layer Security (TLS), facilitating secure command-and-control (C2) communications. Additionally, BRICKSTORM employs DNS-over-HTTPS (DoH) to conceal its communications, blending seamlessly with regular network traffic, and can function as a SOCKS proxy to aid in lateral movement across networks.
The primary targets of BRICKSTORM have been identified within government and information technology (IT) sectors. The exact number of affected government agencies and the specific data compromised remain undisclosed. This activity underscores the evolving tactics of Chinese hacking groups, which continue to exploit edge network devices to breach networks and cloud infrastructures.
In response to these allegations, a spokesperson for the Chinese embassy in Washington stated that the Chinese government does not encourage, support, or connive at cyber attacks.
BRICKSTORM was first documented by Google Mandiant in 2024, linked to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887). The malware has been associated with two threat clusters: UNC5221 and a China-nexus adversary tracked by CrowdStrike as Warp Panda.
In September 2025, Mandiant and Google Threat Intelligence Group (GTIG) observed that legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. were targeted by UNC5221 and related threat activity clusters deploying BRICKSTORM.
A notable feature of BRICKSTORM is its self-monitoring function, which allows it to automatically reinstall or restart itself, ensuring continued operation despite potential disruptions.
In an incident detected in April 2024, attackers accessed a web server within an organization’s demilitarized zone (DMZ) using a web shell. They then moved laterally to an internal VMware vCenter server, implanting BRICKSTORM. The initial access vector and the timing of the web shell deployment remain unclear.
The attackers leveraged their access to obtain service account credentials, moving laterally to a domain controller in the DMZ via Remote Desktop Protocol (RDP) to capture Active Directory information. They also acquired credentials for a managed service provider (MSP) account, which facilitated further movement from the internal domain controller to the VMware vCenter server.
CISA reported that the actors moved laterally from the web server using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys from the latter. Access to vCenter enabled the adversary to deploy BRICKSTORM after elevating their privileges.
BRICKSTORM utilizes custom handlers to set up a SOCKS proxy, create a web server on the compromised system, and execute commands. Some artifacts are designed to function in virtualized environments, using a virtual socket (VSOCK) interface to enable inter-VM communication, facilitate data exfiltration, and maintain persistence.
Warp Panda’s Use of BRICKSTORM Against U.S. Entities
CrowdStrike’s analysis of Warp Panda revealed multiple intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities in 2025, leading to the deployment of BRICKSTORM. Warp Panda has been active since at least 2022, exhibiting technical sophistication, advanced operational security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments.
The group demonstrates a high level of stealth, focusing on maintaining persistent, long-term, covert access to compromised networks. Evidence indicates that Warp Panda gained initial access to one entity in late 2023. Alongside BRICKSTORM, they deployed two previously undocumented Golang implants, Junction and GuestConduit, on ESXi hosts and guest VMs, respectively.
Junction acts as an HTTP server, listening for incoming requests and supporting a range of capabilities to execute commands, proxy network traffic, and interact with guest VMs through VM sockets (VSOCK). GuestConduit is a network traffic–tunneling implant residing within a guest VM, establishing a VSOCK listener on port 5555 to facilitate communication between guest VMs and hypervisors.
Initial access methods involve exploiting internet-facing edge devices to pivot to vCenter environments, using valid credentials or abusing vCenter vulnerabilities. Lateral movement is achieved via SSH and the privileged vCenter management account vpxuser. The group also uses the Secure File Transfer Protocol (SFTP) to move data between hosts.
Exploited vulnerabilities include:
– CVE-2024-21887 (Ivanti Connect Secure)
– CVE-2023-46805 (Ivanti Connect Secure)
– CVE-2024-38812 (VMware vCenter)
– CVE-2023-34048 (VMware vCenter)
– CVE-2021-22005 (VMware vCenter)
– CVE-2023-46747 (F5 BIG-IP)
Warp Panda’s operations emphasize stealth by clearing logs, timestomping files, and creating rogue VMs that are shut down after use. BRICKSTORM, masquerading as benign vCenter processes, is employed to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs.
The attackers have been observed accessing email accounts of employees working in areas aligning with Chinese government interests. They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository.
A significant aspect of Warp Panda’s activities is their focus on establishing persistence in cloud environments and accessing sensitive data. They exploited access to entities’ Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange.
In at least one incident, the hackers obtained user session tokens, likely by exfiltrating user browser files, and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via a session replay attack, downloading SharePoint files related to the organization’s network engineering and incident response teams.
The attackers also established persistence by registering a new multi-factor authentication (MFA) device through an Authenticator app code after initially logging into a user account. In another intrusion, the Microsoft Graph API was used to enumerate service principals, applications, users, directory roles, and emails.
Warp Panda primarily targets entities in North America, consistently maintaining persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests.
