State-Backed BRICKSTORM Malware Campaign Escalates Against Virtualized Infrastructure

A China-linked cyber-espionage campaign leveraging the BRICKSTORM malware family has intensified, targeting VMware vSphere and Windows environments used by government agencies and IT service providers. The operation focuses on stealing virtual machine snapshots, maintaining long-term covert access, and abusing encrypted DNS channels for command and control, underscoring the strategic value of virtualized infrastructure to state-backed actors.

Overview of the BRICKSTORM Operation

BRICKSTORM is a modular backdoor platform deployed primarily against virtualized datacenter environments, with a particular focus on VMware vSphere hypervisors and their associated Windows management infrastructure. The campaign has been attributed to Chinese state-sponsored actors and has been active across multiple years, with some intrusions persisting undetected for more than a year. The malware is designed to enable long-term espionage, data theft, and contingency access for potential future disruptive operations.

Victims include public-sector entities, critical infrastructure operators, and IT and cloud service providers whose environments offer high-value access to downstream customers. By targeting infrastructure that hosts many virtual machines and sensitive workloads, the attackers maximize intelligence value while minimizing the number of unique footholds they must maintain.

Initial Access and Lateral Movement

Initial access is typically obtained by exploiting exposed management interfaces or unpatched vulnerabilities on internet-facing systems within the victim environment. This includes remote management portals, VPN gateways, or web applications that provide entry into the management plane of virtual infrastructure. Once the attackers obtain a foothold, they pivot laterally to systems that manage or host virtual machines, including vCenter servers and administrative Windows hosts.

Credential harvesting is a key component of the lateral movement strategy. The operators use a combination of memory scraping, registry inspection, and access to configuration files to obtain domain and service account credentials. These credentials are then used to access vSphere APIs, remote management shares, and administrative consoles. In some cases, the attackers create or abuse service accounts with elevated permissions that blend into existing operational practices, making detection more difficult.

BRICKSTORM Architecture and Persistence Techniques

BRICKSTORM is implemented as a multi-stage backdoor with several layers of encryption and obfuscation between the initial loader and the core payload. The loader often appears as a legitimate or benign process on Windows hosts, using techniques such as DLL side-loading or signed binary proxy execution to reduce suspicion. After execution, the loader decrypts and injects the main backdoor into memory, avoiding straightforward disk-based detection.

Persistence on Windows systems is achieved through a combination of scheduled tasks, services, registry run keys, and in some cases, WMI event subscriptions. On hosts that interact directly with VMware infrastructure, the malware may also embed itself into management scripts, plug-ins, or automation frameworks used by administrators. This approach ensures that normal operational workflows trigger the malware code path, reinforcing its ongoing presence even if traditional persistence mechanisms are removed.

The campaign also leverages rogue or hidden virtual machines created within the virtualized environment itself. These covert VMs serve as stealthy persistence anchors that can host additional tooling, perform internal reconnaissance, or reintroduce malware into the environment if surface-level remediation occurs. Because these rogue VMs can be configured with unusual metadata, isolated networks, or disguised naming conventions, they often evade routine operational reviews.

Abuse of Virtual Machine Snapshots and Rogue VMs

A distinguishing feature of BRICKSTORM is its focused abuse of virtual machine snapshots. The malware, after gaining access to vSphere APIs or management consoles, enumerates virtual machines and accesses their snapshot data. Snapshots can contain disk images, memory states, and configuration information, all of which are valuable for credential theft, application data extraction, and offline analysis of system contents.

By exfiltrating VM snapshot files, the attackers are able to:

• Recover credential material such as password hashes, Kerberos tickets, and API keys from captured memory and disk images.
• Clone critical workloads for offline exploitation, reverse engineering, or preparation of tailored follow-on attacks.
• Study software configurations, security controls, and network topologies without maintaining noisy interactive access.

In addition to snapshot theft, the threat actors create hidden or rogue VMs that do not align with standard naming or tagging conventions. These VMs can be attached to internal networks for stealthy reconnaissance, establish internal pivot points, or host secondary command and control relays. They can be configured with minimal resource footprints and scheduled only to run intermittently, further reducing their operational visibility.

Command and Control via DNS-over-HTTPS

BRICKSTORM’s command and control layer heavily uses DNS-over-HTTPS (DoH) to disguise outbound communications within encrypted web traffic. By encapsulating DNS queries and responses inside HTTPS sessions, the malware bypasses many legacy DNS monitoring controls and blends into normal TLS traffic destined for popular resolver endpoints or content delivery networks.

The malware constructs custom subdomain queries or payload fragments that encode tasking, beacons, and exfiltrated data. These records are transmitted over HTTPS to attacker-controlled domains or resolvers that interpret and respond with encrypted instructions. Multiple layers of symmetric and sometimes asymmetric encryption wrap the payloads, ensuring that even if the traffic is intercepted and decrypted at the TLS layer by enterprise inspection tools, the inner content remains opaque without the keys embedded in the malware.

To enhance resiliency, BRICKSTORM may maintain multiple fallback C2 endpoints and support domain generation-like patterns for resolving the actual command infrastructure. The backdoor can dynamically adjust beacon intervals, message sizes, and communication patterns based on operator control or internal heuristics, making statistical detection more challenging.

Operational Security and Evasion Techniques

The operators behind BRICKSTORM demonstrate disciplined operational security. They often limit interactive activity to specific time windows aligned with target time zones, throttle data exfiltration to match normal network baselines, and reuse existing administrative channels where possible. This reduces behavioral anomalies that could trigger detection by user and entity behavior analytics or anomaly-based NDR tools.

On the endpoint side, BRICKSTORM components leverage process masquerading, code signing abuse, and memory-only payloads to evade traditional antivirus and endpoint protection systems. Some variants incorporate anti-analysis techniques such as environment checks, delayed execution, or debugger detection to hinder sandbox-based inspection and reverse engineering. Logging and forensic traces are selectively cleared or tampered with to remove evidence of critical steps, such as privilege escalation or account creation.

Indicators of Compromise and Detection Challenges

Detection efforts center on a combination of network-level and host-level indicators. At the network layer, security teams are advised to identify unauthorized or unusual DNS-over-HTTPS traffic, especially to resolvers or domains not approved by organizational policy. Anomalous patterns such as repeated queries to obscure domains, irregular subdomain structures, or atypical HTTPS destinations from infrastructure management hosts warrant investigation.

On hosts, artifacts may include:

• Unrecognized services, scheduled tasks, or WMI subscriptions tied to atypical executables or scripts.
• Unexpected access patterns to vSphere APIs, including snapshot enumeration and export operations from nonstandard accounts or hosts.
• Creation of new virtual machines that do not comply with naming conventions, tagging policies, or resource allocation norms.
• Logs showing repeated access to VM snapshot storage or datastore locations from systems not typically involved in backup or DR workflows.

However, many of these signals can be subtle, especially in large, complex environments where virtual infrastructure is heavily automated. Distinguishing malicious snapshot usage from legitimate backup and replication activities requires correlation across identity, time, and operational context.

Defensive Recommendations for Virtualized Environments

Defending against BRICKSTORM and similar campaigns requires hardening both the management plane and the virtual infrastructure itself. Organizations should prioritize:

• Strict network segmentation for management interfaces, ensuring that vCenter, ESXi hosts, and backup infrastructure are accessible only from dedicated administrative networks and jump hosts.
• Enforcement of multi-factor authentication and least privilege for all accounts with access to virtualization management, including service accounts and automation tools.
• Baseline and continuous monitoring of snapshot operations, including alerts for bulk snapshot exports, unusual snapshot creation patterns, and access from unexpected identities.
• Inventory and periodic review of all virtual machines, with policies that flag unapproved VMs, missing ownership metadata, or deviations from standardized templates.
• Tight control and inspection of DNS-over-HTTPS usage, allowing only sanctioned resolvers and applying TLS inspection and logging where consistent with policy and legal constraints.

In addition, integrating virtualization platform logs with centralized SIEM and using behavior analytics focused on administrative actions can help identify misuse of legitimate tools. Regular threat hunting campaigns targeting virtualization environments, combined with rehearsed incident response playbooks for hypervisor compromise, significantly improve resilience against state-backed virtual infrastructure attacks.