CISA Unveils BRICKSTORM Malware Report: New YARA Rules for VMware vSphere Protection
The Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive analysis of BRICKSTORM, a sophisticated backdoor malware attributed to Chinese state-sponsored cyber actors. This report, initially published in December 2025 and updated through January 2026, highlights the malware’s targeting of VMware vSphere platforms, particularly vCenter servers and ESXi environments. Organizations within the government services and information technology sectors are identified as primary targets, facing significant risks from these advanced cyber threats.
Understanding BRICKSTORM’s Threat Landscape
BRICKSTORM poses a severe risk due to its ability to establish and maintain long-term, undetected access to compromised systems. By infiltrating virtualized environments, the malware enables threat actors to exfiltrate sensitive data, clone virtual machines, and navigate laterally across networks. Once embedded, BRICKSTORM operates covertly, ensuring its persistence by automatically reinstalling itself if any removal attempts are detected.
Technical Composition and Discovery
CISA’s investigation into BRICKSTORM involved the analysis of eleven distinct malware samples. Of these, eight were developed using the Go programming language, while three newer variants were crafted with Rust, indicating an evolution in the malware’s development. The agency identified BRICKSTORM during an incident response engagement, where adversaries maintained persistent access to a victim’s network from April 2024 through September 2025. During this period, attackers compromised domain controllers and an Active Directory Federation Services (ADFS) server, successfully extracting cryptographic keys.
Infection Pathways and Persistence Mechanisms
BRICKSTORM’s initial access is typically achieved through compromised web servers situated in demilitarized zones (DMZs). Attackers leverage stolen service account credentials and Remote Desktop Protocol (RDP) connections to move laterally within networks, ultimately deploying the malware onto VMware vCenter servers.
Once installed, BRICKSTORM embeds itself within system directories such as /etc/sysconfig/ and alters initialization scripts to ensure execution during system startup. The malware’s persistence is reinforced by self-monitoring capabilities that continuously verify its operational status. If BRICKSTORM detects that it has ceased running, it autonomously reinstalls and restarts from predefined file paths, effectively countering removal efforts by security teams.
Communication and Command-and-Control (C2) Infrastructure
BRICKSTORM establishes encrypted communications with command-and-control servers using DNS-over-HTTPS (DoH) protocols, routing through legitimate public resolvers such as Cloudflare, Google, and Quad9. This method obfuscates malicious traffic within standard encrypted communications, complicating detection. The malware further enhances its stealth by upgrading initial HTTPS connections to secure WebSocket sessions, incorporating multiple layers of nested encryption.
Through these secure channels, attackers gain interactive command-line access, enabling them to navigate file systems, upload and download files, and set up SOCKS proxies to facilitate lateral movement within the network.
Detection and Mitigation Strategies
To aid in the identification and eradication of BRICKSTORM, CISA has released six YARA rules and one Sigma rule tailored to detect the malware’s unique code patterns and behavioral traits. Organizations are urged to implement these detection signatures promptly and to report any BRICKSTORM activity to CISA.
Recommended mitigation measures include:
– Upgrading VMware vSphere Servers: Ensure that all VMware vSphere servers are updated to the latest versions to patch known vulnerabilities that BRICKSTORM exploits.
– Implementing Network Segmentation: Divide networks into segments to limit the spread of malware and restrict unauthorized lateral movement.
– Blocking Unauthorized DoH Providers: Configure network policies to prevent the use of unauthorized DNS-over-HTTPS providers, thereby reducing the risk of covert C2 communications.
Conclusion
The emergence of BRICKSTORM underscores the escalating sophistication of state-sponsored cyber threats targeting critical infrastructure. Organizations, especially those within government services and information technology sectors, must remain vigilant and proactive in their cybersecurity practices. By adopting the detection rules and mitigation strategies provided by CISA, entities can enhance their defenses against such persistent and evolving threats.
