Pierluigi Paganini
December 05, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed technical details on BRICKSTORM, a backdoor used by China state-sponsored threat actors to gain and maintain long-term persistence on compromised systems, highlighting ongoing PRC cyber-espionage activity.
“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of ongoing intrusions by People’s Republic of China (PRC) state-sponsored cyber actors using BRICKSTORM malware for long-term persistence on victim systems.” reads the report published by CISA. “BRICKSTORM is a sophisticated backdoor for VMware vSphere1,2 and Windows environments.3 Victim organizations are primarily in the Government Services and Facilities and Information Technology Sectors.”
CISA did not share details about the targeted agencies.
BRICKSTORM gives threat actors stealthy, persistent access and secure C2, using multiple encryption layers (HTTPS, WebSockets, nested TLS), DNS-over-HTTPS, and a SOCKS proxy for lateral movement.
“BRICKSTORM initiates by running checks and maintains persistence by using a self-watching function and automatically reinstalls or restarts if disrupted.” reads the CISA’s MAR.
It includes self-monitoring to reinstall or restart if disrupted. Initial access varies. A joint CISA/NSA/Cyber Centre report analyzes this sample and seven others, showing the malware’s evolving features and high adaptability.
According to CISA, PRC state-sponsored actors use legitimate credentials taken from system backups or stolen Active Directory data, then target VMware vSphere to steal VM snapshots for credential harvesting and create hidden rogue VMs to stay undetected.
Google Threat Intelligence Group (GTIG) observed the use of the Go-based backdoor BRICKSTORM to maintain persistence in U.S. organizations since March 2025. Targets include legal, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology firms. Mandiant linked the activity to China-nexus APT UNC5221, a group known for the exploitation of zero-days for espionage and broader access.
Google first detailed the backdoor in April 2024 when it was employed in multiple attacks that remained undetected for more than a year, on average. BRICKSTORM can act as a web server, manipulate the file system, upload/download files, execute shell commands, and perform SOCKS proxy relaying. The malware relies on WebSockets for C2 communications.
Mandiant reports BRICKSTORM intrusions often go undetected for over a year, obscuring the initial attack vector. Evidence suggests focus on exploiting perimeter and remote access systems, sometimes by exploiting zero-day vulnerabilities. The Go-based backdoor, seen on Linux and BSD appliances, enables SOCKS proxy use and lateral movement to VMware vCenter/ESXi with stolen credentials.
BRICKSTORM is actively evolving, using obfuscation, delayed beaconing, process mimicry, and rotating C2 domains via Cloudflare, Heroku, and dynamic DNS to stay hidden.
In one case detected in April 2024, attackers accessed a DMZ web server via a web shell, then moved laterally to VMware vCenter to deploy BRICKSTORM, though the initial entry point remains unclear. They stole service account credentials, used RDP to a DMZ domain controller to capture Active Directory data, and later obtained an MSP account to pivot deeper.
Using SMB, they reached jump servers and an ADFS server, exfiltrating cryptographic keys. With vCenter access, they elevated privileges and installed BRICKSTORM, which sets up a SOCKS proxy, runs a web server, executes commands, and uses VSOCK for inter-VM communication, data exfiltration, and persistence.
“At the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded BRICKSTORM malware to an internal VMware vCenter server.” continues the MAR report. “They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server. They successfully compromised the ADFS server and exported cryptographic keys. The cyber actors used BRICKSTORM for persistent access from at least April 2024 through at least Sept. 3, 2025.”
Researchers say these intrusions highlight China’s shifting tactics toward exploiting edge devices to penetrate networks and cloud environments.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, BRICKSTORM backdoor)
