State-Backed BRICKSTORM Malware Targets Virtualized Infrastructure At Scale
A coordinated advisory from multiple national cybersecurity agencies has detailed an extended campaign using the BRICKSTORM backdoor to compromise VMware vSphere and Windows environments, with attackers focused on long-term persistence, credential theft, and data exfiltration in government and critical infrastructure networks.
Campaign Overview And Target Profile
BRICKSTORM is attributed to a state-sponsored threat actor with a multi‑year operational window, including documented access in at least one environment from April 2024 through September 2025. The primary targets are public sector entities, IT service providers, and critical infrastructure operators that rely heavily on VMware-based virtualization for both production workloads and management infrastructure.
The campaign leverages compromised vSphere management planes and adjacent Windows systems to gain broad visibility into virtualized data centers. By focusing on hypervisor and management layers instead of individual guest systems, the actor maximizes the impact of each successful intrusion and simplifies lateral movement across segmented networks.
Initial Access And Lateral Movement
Initial access techniques observed in the campaign include exploitation of unpatched internet‑facing services in management networks, abuse of weak or reused administrator credentials, and possible use of previously stolen VPN or SSO tokens. Once inside, the actor pivots systematically toward vCenter servers and Windows-based management hosts that provide control over large virtual estates.
Lateral movement is achieved through a combination of credential harvesting, pass‑the‑hash or token replay against administrative interfaces, and remote management protocols such as SMB and remote service creation. The actor prioritizes accounts with privileges over virtualization clusters, backup systems, and directory services to ensure resilient access and control over both compute and identity planes.
BRICKSTORM Backdoor Architecture And Capabilities
BRICKSTORM is a modular backdoor engineered for persistence and stealth in mixed VMware and Windows environments. The malware incorporates multiple layers of encryption around both payload components and command‑and‑control traffic, complicating static analysis and network‑based detection.
A notable feature is its ability to interact with VMware environments at the management layer. The backdoor can enumerate virtual machines, capture virtual machine snapshots, and exfiltrate these snapshots for offline credential and data extraction. By working with snapshots, the actor can obtain in‑memory secrets, disk images, and application data without continuously interacting with guest operating systems.
In some cases, BRICKSTORM has been observed creating hidden or rogue virtual machines within existing clusters. These rogue VMs can be used as covert footholds, internal pivot points, or staging systems for further tooling, while blending into large virtualization estates where additional VMs are common and may not be closely audited.
Command And Control Using DNS-Over-HTTPS
The malware’s command‑and‑control channel uses DNS‑over‑HTTPS to encapsulate communication within encrypted HTTPS sessions directed at legitimate-looking endpoints. This approach allows BRICKSTORM traffic to blend into typical TLS‑protected web traffic and evade perimeter controls that inspect or block traditional DNS or clear‑text C2 protocols.
Multiple encryption layers are applied to the data carried inside DNS‑over‑HTTPS transactions, providing an additional layer of confidentiality and integrity protection beyond TLS itself. This design frustrates both content inspection and reverse engineering, as analysts must peel away several cryptographic layers to reconstruct instructions and beacons.
Persistence, Stealth, And Long-Term Access
BRICKSTORM maintains persistence through a combination of scheduled tasks, service registrations, and modifications to management tooling on both Windows and VMware platforms. On Windows, the malware can install itself as a system service or integrate with existing services used by monitoring or backup agents, making malicious activity difficult to distinguish from legitimate operations.
Within VMware ecosystems, persistence is reinforced by embedding components on management hosts and potentially by leveraging scripts or automation workflows used for routine operations. Because virtualization layers are often less frequently rebuilt than individual guest systems, persistence at this level permits multi‑year access even as underlying applications and operating systems are upgraded.
Credential Theft And Data Exfiltration Techniques
Credential theft is central to the campaign. Attackers use memory scraping, keylogging, and direct access to security database files or credential stores to collect administrator passwords, API tokens, and service account secrets. The exfiltrated virtual machine snapshots further expand the credential surface, enabling offline extraction of cached credentials and cryptographic material from multiple guest systems.
Data exfiltration leverages the same DNS‑over‑HTTPS channel and, where necessary, additional covert channels built on standard web protocols. Because virtual machine snapshots can be large, the actor segments and compresses data, exfiltrating it gradually to avoid triggering anomaly‑based thresholds for outbound transfer volume or frequency.
Operational Impact On Government And Critical Infrastructure
For government networks and critical infrastructure operators, control of virtualization layers provides the attacker with a strategic vantage point. The actor can observe or manipulate workloads that support core business processes, OT monitoring, or public services, while maintaining options for later disruptive or destructive actions.
The ability to steal snapshots and create rogue VMs increases the risk of both espionage and pre‑positioning for future operations. Even if no immediate disruption is observed, long‑term clandestine access to virtualized infrastructure undermines the integrity of incident response, as defenders may be unaware of hidden footholds or the full scope of compromised workloads.
Detection And Mitigation Considerations
Defenders are advised to focus on telemetry from VMware management components, Windows event logs, and DNS‑over‑HTTPS usage across their environments. Unexplained creation of virtual machines, unusual snapshot activity, or persistent administrative sessions from atypical hosts should be treated as potential indicators of compromise.
Mitigation steps include strict network segmentation between DMZ, management, and production segments; blocking or tightly controlling DNS‑over‑HTTPS traffic; enforcing strong authentication and least privilege on virtualization management systems; and continuously monitoring for anomalous changes in virtual infrastructure inventories and configurations.