Mirror Review
December 05, 2025
CISA, known for tracking nation-state cyber threats across critical infrastructure, has issued an urgent warning after discovering that the BRICKSTORM Malware, used by People’s Republic of China (PRC) state-sponsored actors, can survive cleanup attempts by reinstalling itself.
The agency says attackers quietly lived inside government and IT networks for 17 months, using BRICKSTORM as a self-healing backdoor that keeps coming back even after defenders try to shut it down.
With this disclosure, BRICKSTORM is no longer just another espionage tool. It represents a rare class of malware designed to outlast cyber defenders, not just evade them.
Why BRICKSTORM Malware Matters Right Now
CISA, NSA, and Canada’s Cyber Centre jointly confirmed that BRICKSTORM targets VMware vSphere, vCenter servers, and ESXi hosts, which are platforms organizations use to run and manage virtual machines. These are like digital versions of computers that run inside a physical server. It has also been found inside Windows environments.
Across victims, attackers used the malware to:
- Clone virtual machines (duplicate entire digital systems)
- Steal credentials
- Create hidden rogue VMs (secret virtual computers inside a server)
- Tunnel deeper into internal servers
- Exfiltrate files covertly
- Operate over encrypted channels like DNS-over-HTTPS (DoH), which hides website lookups inside encrypted traffic, and WebSockets, a method that allows continuous, real-time communication
One victim’s environment showed uninterrupted BRICKSTORM activity from April 2024 to September 2025, proving how deeply the malware embeds itself.
How BRICKSTORM Malware Works Behind the Scenes
1. It Installs Once but Acts Like It Never Leaves
At execution, BRICKSTORM checks whether a parent process is running. If not, it:
- Copies itself to new locations
- Alters PATH variables, which are system settings that tell a computer where to look for important files
- Relaunches itself in a child process
- Terminates the original copy
This makes the malware appear “dead” while a new version quietly runs elsewhere.
2. It Watches Itself Like a Cyber Bodyguard
BRICKSTORM contains a built-in self-watcher function. If the malware crashes, is renamed, or is stopped, it automatically:
- Reinstalls itself
- Resets its environment variables
- Restarts its command-and-control routines
This creates persistent, autonomous survival inside VMware environments.
3. It Uses Legitimate Cloud Services to Hide
The BRICKSTORM malware hides inside encrypted channels by blending into:
- DNS-over-HTTPS (DoH) using Cloudflare, Google, or Quad9
- Standard HTTPS and WebSockets with layered encryption
- Local web servers it creates to mimic normal network activity
To defenders, this traffic resembles normal cloud operations.
4. It Gives Attackers Full Remote Control
Once active, BRICKSTORM provides:
- Interactive shell access (command-line control over the system)
- File browsing, creation, deletion, and renaming
- SOCKS proxy tunneling, which lets attackers secretly route their traffic through another system for movement inside the network
- VSOCK communication, a channel virtual machines use to talk to each other inside the same server
- API endpoints for remote file operations
In simple terms, attackers can run the system like an invisible administrator.
How the Intrusion Happened
Attackers entered through:
- A web shell, which is a small malicious script placed on a server to control it remotely
- Stolen or misused service account credentials
- Lateral movement via RDP, a remote desktop tool used to access computers, and SMB, a Windows file-sharing protocol
- Access to domain controllers
- Compromise of an ADFS server, a Microsoft authentication system used for login and identity management
- Privilege escalation inside vCenter
- Installation of BRICKSTORM in /etc/sysconfig/
By the time defenders noticed anything unusual, attackers had already exported cryptographic keys, cloned VM snapshots, and built rogue virtual machines for stealth.
What This Means for Governments and IT Providers
1. A Malware Built for Longevity, Not Speed
Most backdoors want immediate access.
BRICKSTORM Malware was engineered for long-term, low-noise infiltration, pointing to intelligence-gathering objectives rather than ransomware-style monetary gain.
2. A Shift in State-Sponsored Tactics
The use of:
- Reinfection logic
- Multiplexed WebSocket tunnels, which carry multiple hidden data streams through one encrypted connection
- VM-specific VSOCK communication
indicates a pivot toward hypervisor-level espionage, where attackers want control beneath the operating system layer.
3. Why VMware Is the New Battleground
Public-sector and enterprise environments rely heavily on vCenter. CISA warns that a compromise here gives attackers:
- The keys to all virtual machines
- Snapshot access to domain controllers
- Credential extraction across the network
This centralization makes vSphere a high-value target.
Rumors, Industry Reactions, and Security Community Concerns
Some analysts speculate that BRICKSTORM Malware may have been active years before the earliest confirmed date. Others believe there are mobile or Linux variants not yet disclosed.
Critics also raised questions like:
- Why did detection take 17 months?
- Are organizations too reliant on endpoint tools that cannot inspect hypervisors?
- Did cloud providers notice abnormal DNS-over-HTTPS patterns?
Furthermore, CISA Director Jen Easterly previously emphasized the growing complexity of nation-state threats, stating: “We are seeing adversaries operate in places defenders rarely monitor. Virtual infrastructure is now a primary attack surface.”
What Organizations Should Do Now
CISA recommends:
- Upgrade VMware vSphere to the latest builds
- Block unauthorized DoH traffic
- Segregate DMZ from internal networks
- Monitor service account activity
- Disable RDP/SMB from DMZ
- Harden vCenter settings using VMware’s security guide
Google Mandiant, NVISO, and CrowdStrike have released supplemental scanners and detection signatures.
Conclusion
The rise of BRICKSTORM Malware is a wake-up call for every government agency and enterprise relying on virtual environments.
This is not a typical backdoor but a self-sustaining, self-repairing infiltrator built to survive in high-security networks. The threat goes beyond malware cleanup.
It challenges how defenders monitor hypervisors, encrypted traffic, and service accounts.
As BRICKSTORM continues to outlive cyber defenders, the real shift must begin with how organizations secure their virtualization layer.
The sooner they harden this foundation, the harder it becomes for threats like BRICKSTORM to take root again.
Maria Isabel Rodrigues
