Key Findings:

• Cybersecurity agencies in the US and Canada have issued an alert about a new malware called BRICKSTORM, believed to be used by state-sponsored hackers from China.

• BRICKSTORM is a backdoor that gives attackers stealthy access and control over targeted systems, primarily focusing on VMware vSphere platforms.

• The hackers have been observed targeting organizations in the Government Services, Facilities, and Information Technology sectors.

• The malware uses advanced techniques like multi-layer encryption and self-reinstallation to stay undetected for extended periods, sometimes over a year.

Background

BRICKSTORM is a new cybersecurity threat that has been causing concern among major security agencies in the US and Canada. The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security (Cyber Centre) have issued a joint alert about this malware, which is believed to be used by state-sponsored hackers from the People's Republic of China (PRC).

Targeting the Virtualization Layer

According to the expert analysis, what makes BRICKSTORM particularly alarming is that it targets the virtualization layer, specifically the VMware vSphere platforms, rather than individual operating systems or applications. By compromising the management console (vCenter), the attackers can gain broad visibility and control over the entire virtual infrastructure, bypassing many traditional endpoint defenses.

Sophisticated Techniques for Persistence and Stealth

BRICKSTORM employs advanced techniques to ensure its persistence and stealthy operation. The malware uses multiple layers of encryption to hide its communication with the hackers' command and control centers, making it extremely difficult to detect. Additionally, it has a built-in function to automatically reinstall itself if interrupted, ensuring its continued presence on the compromised systems.

Prolonged Presence and Targeted Sectors

The agencies have observed the BRICKSTORM activity lasting from April 2024 to at least September 2025, indicating the hackers' ability to maintain persistent access to the targeted systems. The primary focus of these attacks has been on organizations in the Government Services, Facilities, and Information Technology sectors, which are considered critical infrastructure.

Call for Vigilance and Immediate Action

The security agencies are urging all affected organizations to use the newly released indicators of compromise (IOCs) and detection signatures to check their systems for any signs of BRICKSTORM activity. They also emphasize the importance of immediate reporting of any detected incidents to aid in the ongoing investigation and mitigation efforts.

Sources

• https://hackread.com/chinese-state-hackers-brickstorm-vmware-systems/

• https://x.com/HackRead/status/1997295589831381069

• https://www.govinfosecurity.com/brickstorm-malware-hits-us-critical-systems-cisa-warns-a-30195

• https://www.instagram.com/p/DR4FULTD8L8/