State-Backed BRICKSTORM Malware Targets Virtualized Infrastructure At Scale
A coordinated advisory from multiple national cybersecurity agencies has detailed extensive use of the BRICKSTORM backdoor by state-sponsored actors against VMware vSphere and Windows environments, with evidence of long-term persistence, covert data theft, and rapid mass exploitation following public disclosure of associated vulnerabilities.
Campaign Overview And Strategic Objectives
The BRICKSTORM campaign is attributed to Chinese state-backed threat actors focusing on public sector organizations, critical infrastructure operators, and IT service providers. The strategic objective appears to be the establishment of durable, low-noise access to virtualized infrastructure for espionage, preparation of the battlespace, and potential disruptive operations.
Unlike opportunistic ransomware groups, the operators have shown patience and discipline, maintaining covert access for over a year in some environments before discovery. This long dwell time allows for methodical credential harvesting, network mapping, and selective data exfiltration without triggering volumetric detection thresholds.
Technical Architecture Of The BRICKSTORM Backdoor
BRICKSTORM is implemented as a modular backdoor with distinct components for initial loader, core implant, and auxiliary plugins responsible for credential theft, lateral movement, and snapshot manipulation. The implant targets both VMware and Windows layers, allowing it to straddle hypervisor management planes and guest workloads.
Communications are protected with multiple layers of encryption combined with DNS-over-HTTPS tunneling to evade traditional DNS monitoring and content inspection. This design gives operators a covert, resilient channel that blends in with legitimate encrypted web traffic and complicates network-level containment efforts.
Abuse Of Virtualization Features For Stealth And Persistence
One of the most damaging capabilities is BRICKSTORM’s manipulation of virtual machine snapshots. By exfiltrating VM snapshots, the operators can extract credential material, configuration data, and sensitive application content offline without maintaining noisy, continuous access to production systems.
The malware also provisions hidden rogue virtual machines on compromised VMware vSphere clusters. These rogue VMs are used as pivot points and staging environments that can operate outside of normal administrative awareness if inventory, logging, and configuration management are weak. This enables persistence that survives guest-level remediation and can even persist through some hypervisor reconfiguration operations if not thoroughly audited.
Initial Access Vectors And Post-Exploitation Tactics
Initial access appears to rely on a mix of exposed management interfaces, compromised administrator credentials, and exploitation of vulnerabilities in virtualization management components and related infrastructure. Once a foothold is established, BRICKSTORM operators prioritize access to vCenter and Windows domain controllers, enabling rapid privilege escalation across both the virtual infrastructure and identity plane.
Post-exploitation, the operators deploy plugins for credential dumping, Kerberos abuse, and discovery of interconnects between on-premises environments and cloud workloads. Lateral movement paths then extend from management networks to production workloads, often taking advantage of insufficient network segmentation between DMZ, management, and internal segments.
Command And Control Using DNS-Over-HTTPS
The campaign makes extensive use of DNS-over-HTTPS (DoH) for command-and-control. By encapsulating DNS queries and responses inside standard HTTPS sessions to internet endpoints, BRICKSTORM can bypass organizations that rely primarily on traditional DNS logging and filtering.
The backdoor employs domain generation techniques and layered encryption within the DoH traffic to make pattern-based detection difficult. This approach also complicates incident response, as analysts must distinguish malicious DoH channels from legitimate browser and application traffic that increasingly adopt the same protocols.
Evidence Of Long-Term Embedded Access
Forensic investigations have revealed cases in which operators maintained access from early 2024 through late 2025, indicating that defensive visibility into virtualization control planes remains substantially weaker than in traditional server environments. During this period, attackers periodically refreshed implants, rotated infrastructure, and updated payloads to align with their evolving objectives.
The quiet nature of the operations suggests heavy reliance on abusing existing administrative tools and APIs rather than dropping noisy binaries. Activity such as snapshot creation, VM cloning, and configuration changes was blended with normal operations, exploiting organizations’ lack of granular baselining of administrative behavior on virtualization platforms.
Rapid Mass Exploitation After Public Disclosure
Within hours of public disclosure of a critical vulnerability associated with the environments targeted by BRICKSTORM operators, additional China-linked groups began wide-scale exploitation attempts. These follow-on actors, including criminal or semi-independent clusters, quickly deployed cryptocurrency miners, secondary backdoors, and credential harvesters into newly compromised cloud and virtualized environments.
The speed of this exploitation cycle illustrates how quickly proof-of-concept code and technical advisories can be operationalized across diverse threat groups. It further underscores that patch management windows measured in days are insufficient once a high-impact vulnerability affecting internet-exposed management or control surfaces becomes public.
Cloud Environment Exposure And Lateral Risk
Analysis of affected organizations indicates that a large fraction of cloud environments contained instances vulnerable to the same flaws targeted by BRICKSTORM and its follow-on exploiters. This created a pathway for threat actors to traverse from on-premises VMware and Windows infrastructures into cloud control planes and workload instances.
In cloud contexts, attackers focused on harvesting secrets from environment variables, instance metadata services, and orchestration manifests. These artifacts often contained credentials for databases, APIs, and other cloud-native services, allowing cascading compromise far beyond the initially affected virtual machines.
Detection Engineering And Defensive Priorities
Defenders are prioritizing the deployment of updated indicators of compromise, YARA signatures, and behavioral analytics targeting BRICKSTORM’s specific techniques, including anomalous use of DoH, suspicious snapshot operations, and creation of untracked virtual machines. Emphasis is also being placed on monitoring administrative actions on vCenter, ESXi hosts, and associated management networks with the same rigor traditionally applied to domain controllers and critical application servers.
Network defenders are being advised to block or tightly control unauthorized DoH endpoints, enforce least-privilege administration for virtualization platforms, and segment virtualization management networks away from user, server, and DMZ segments. Comprehensive audits of VM inventory, snapshots, and templates are becoming a core step in incident response to uncover hidden rogue resources created by BRICKSTORM or copycat campaigns.