WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Canadian Centre for Cyber Security (Cyber Centre) unveiled a malware analysis report on BRICKSTORM, a sophisticated backdoor for VMware vSphere (specifically VMWare vCenter servers) and Windows environments used by People’s Republic of China (PRC) state-sponsored actors. The report provides indicators of compromise (IOCs) and detection signatures to assist critical infrastructure owners and operators in identifying whether they have been compromised and gives recommended mitigation actions to protect against this pervasive PRC activity.
CISA analyzed eight BRICKSTORM samples obtained from victim organizations, including an organization where CISA did an incident response engagement. BRICKSTORM has advanced functionality to conceal communications, move laterally and tunnel into victim networks, and automatically reinstall or restart the malware if disrupted. PRC actors are using BRICKSTORM for persistent access and are primarily targeting Government and Information Technology (IT) Sector organizations.
“This advisory underscores the grave threats posed by the People’s Republic of China that create ongoing cybersecurity exposures and costs to the United States, our allies and the critical the infrastructure we all depend on, said CISA Acting Director Madhu Gottumukkala. “These state-sponsored actors are not just infiltrating networks — they are embedding themselves to enable long-term access, disruption, and potential sabotage. CISA, in close coordination with our domestic and international partners, urges every organization to treat this threat with the seriousness it demands: review the report, implement the recommended mitigations without delay, and report any suspicious activity. Cyber defense is national defense — and it starts with action.”
Critical infrastructure organizations, especially federal government and IT sectors, are urged to use the IOCs and detection signatures and resources in the report such as CISA-developed YARA and SIGMA rules, both open-source standardized detection methods for security analysts. Organizations detecting BRICKSTORM, similar malware, or potentially related activity are urged to contact CISA at CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.
“BRICKSTORM is a sophisticated and stealthy backdoor malware linked to PRC state-sponsored cyber actors,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen. “As this cyber threat persists, we strongly encourage organizations to assess their environments, identify any signs of compromise, and apply the recommended mitigations to strengthen their defenses.”
Recommended actions in this report include scan systems for BRICKSTORM using detection signatures and rules; inventory all network edge devices; monitor edge devices for suspicious network connectivity; ensure proper network segmentation; and implement Cross-Sector Cybersecurity Performance Goals.
For more information, visit People’s Republic of China Threat Overview and Advisories.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.