CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

First reported
Last updated
6 unique sources, 10 articles

Summary

Hide ▲

The BRICKSTORM malware, attributed to PRC state-sponsored actors, has been used for long-term espionage against U.S. organizations, particularly in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. CISA, NSA, and Cyber Centre issued a joint report on BRICKSTORM, providing IOCs, detection signatures, and recommended mitigations. The report highlights BRICKSTORM's advanced functionality to conceal communications, move laterally, and tunnel into victim networks. The malware automatically reinstalls or restarts if disrupted, and PRC actors are primarily targeting government and IT sector organizations. CISA analyzed eight BRICKSTORM samples from victim organizations and urges organizations to contact CISA if they detect BRICKSTORM or related activity. CISA warns that Chinese hackers have been backdooring VMware vSphere servers with Brickstorm malware, using multiple layers of encryption and a self-monitoring function to maintain persistence. The attackers compromised a web server in an organization's DMZ in April 2024, moved laterally to an internal VMware vCenter server, and deployed malware. They also hacked two domain controllers and exported cryptographic keys after compromising an ADFS server, maintaining access from at least April 2024 through September 2025. The attackers captured Active Directory database information and performed system backups to steal legitimate credentials and other sensitive data. CrowdStrike linked these attacks to a Chinese hacking group it tracks as Warp Panda, which also deployed previously unknown Junction and GuestConduit malware implants in VMware ESXi environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments, enabling cyber threat actors to maintain stealthy access and providing capabilities for initiation, persistence, and secure command-and-control. Written in Golang, the custom implant gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files. The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement. The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen. The activity represents an ongoing tactical evolution of Chinese hacking groups, which have continued to strike edge network devices to breach networks and cloud infrastructures. In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not "encourage, support or connive at cyber attacks.". BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda. Earlier this September, Mandiant and Google Threat Intelligence Group (GTIG) said they observed legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. being targeted by UNC5221 and other closely related threat activity clusters to deliver the malware. A key feature of the malware, per CISA, is its ability to automatically reinstall or restart itself by means of a self-monitoring function that allows its continued operation in the face of any potential disruption. In one case detected in April 2024, the threat actors are said to have accessed a web server inside an organization's demilitarized zone (DMZ) using a web shell, before moving laterally to an internal VMware vCenter server and implanting BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed. The attackers have also been found to leverage the access to obtain service account credentials and laterally move to a domain controller in the DMZ using Remote Desktop Protocol (RDP) so as to capture Active Directory information. Over the course of the intrusion, the threat actors managed to get the credentials for a managed service provider (MSP) account, which was then used to jump from the internal domain controller to the VMware vCenter server. CISA said the actors also moved laterally from the web server using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys from the latter. The access to vCenter ultimately enabled the adversary to deploy BRICKSTORM after elevating their privileges. CrowdStrike, in its analysis of Warp Panda, said it has detected multiple intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities this year that have led to the deployment of BRICKSTORM. The group is believed to have been active since at least 2022. Warp Panda exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. Warp Panda demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks. Evidence shows the hacking group gained initial access to one entity in late 2023. Also deployed in the attacks alongside BRICKSTORM are two previously undocumented Golang implants, namely Junction and GuestConduit, on ESXi hosts and guest VMs, respectively. Junction acts as an HTTP server to listen for incoming requests and supports a wide range of capabilities to execute commands, proxy network traffic, and interact with guest VMs through VM sockets (VSOCK). GuestConduit, on the other hand, is a network traffic-tunneling implant that resides within a guest VM and establishes a VSOCK listener on port 5555. Its primary responsibility is to facilitate communication between guest VMs and hypervisors. Initial access methods involve the exploitation of internet-facing edge devices to pivot to vCenter environments, either using valid credentials or abusing vCenter vulnerabilities. Lateral movement is achieved by using SSH and the privileged vCenter management account "vpxuser." The hacking crew has also used the Secure File Transfer Protocol (SFTP) to move data between hosts. Some of the exploited vulnerabilities are listed below - CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-46805 (Ivanti Connect Secure), CVE-2024-38812 (VMware vCenter), CVE-2023-34048 (VMware vCenter), CVE-2021-22005 (VMware vCenter), CVE-2023-46747 (F5 BIG-IP). The entire modus operandi revolves around maintaining stealth by clearing logs, timestomping files, and creating rogue VMs that are shut down after use. BRICKSTORM, masquerading as benign vCenter processes, is employed to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs. Similar to details shared by CISA, CrowdStrike noted that the attackers used their access to vCenter servers to clone domain controller VMs, possibly in a bid to harvest the Active Directory Domain Services database. The threat actors have also been spotted accessing the email accounts of employees who work in areas that align with Chinese government interests. Warp Panda likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity. They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository. Another significant aspect of Warp Panda's activities is their focus on establishing persistence in cloud environments and accessing sensitive data. Characterizing it as a "cloud-conscious adversary," CrowdStrike said the attackers exploited their access to entities' Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange. In at least one incident, the hackers managed to get hold of user session tokens, likely by exfiltrating user browser files and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via a session replay attack and download SharePoint files related to the organization's network engineering and incident response teams. The attackers have also engaged in additional ways to set up persistence, such as by registering a new multi-factor authentication (MFA) device through an Authenticator app code after initially logging into a user account. In another intrusion, the Microsoft Graph API was used to enumerate service principals, applications, users, directory roles, and emails. The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests.

Timeline

  1. 24.09.2025 17:00 10 articles · 2mo ago

    Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

    CISA, NSA, and Cyber Centre issued a joint report on BRICKSTORM malware, providing IOCs, detection signatures, and recommended mitigations. The report highlights BRICKSTORM's advanced functionality to conceal communications, move laterally, and tunnel into victim networks. The malware automatically reinstalls or restarts if disrupted, and PRC actors are primarily targeting government and IT sector organizations. CISA analyzed eight BRICKSTORM samples from victim organizations and urges organizations to contact CISA if they detect BRICKSTORM or related activity. CISA warns that Chinese hackers have been backdooring VMware vSphere servers with Brickstorm malware, using multiple layers of encryption and a self-monitoring function to maintain persistence. The attackers compromised a web server in an organization's DMZ in April 2024, moved laterally to an internal VMware vCenter server, and deployed malware. They also hacked two domain controllers and exported cryptographic keys, maintaining access from at least April 2024 through September 2025. The attackers captured Active Directory database information and performed system backups to steal legitimate credentials and other sensitive data. CrowdStrike linked these attacks to a Chinese hacking group it tracks as Warp Panda, which also deployed previously unknown Junction and GuestConduit malware implants in VMware ESXi environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments, enabling cyber threat actors to maintain stealthy access and providing capabilities for initiation, persistence, and secure command-and-control. Written in Golang, the custom implant gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files. The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement. The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen. The activity represents an ongoing tactical evolution of Chinese hacking groups, which have continued to strike edge network devices to breach networks and cloud infrastructures. In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not "encourage, support or connive at cyber attacks.". BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda. Earlier this September, Mandiant and Google Threat Intelligence Group (GTIG) said they observed legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. being targeted by UNC5221 and other closely related threat activity clusters to deliver the malware. A key feature of the malware, per CISA, is its ability to automatically reinstall or restart itself by means of a self-monitoring function that allows its continued operation in the face of any potential disruption. In one case detected in April 2024, the threat actors are said to have accessed a web server inside an organization's demilitarized zone (DMZ) using a web shell, before moving laterally to an internal VMware vCenter server and implanting BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed. The attackers have also been found to leverage the access to obtain service account credentials and laterally move to a domain controller in the DMZ using Remote Desktop Protocol (RDP) so as to capture Active Directory information. Over the course of the intrusion, the threat actors managed to get the credentials for a managed service provider (MSP) account, which was then used to jump from the internal domain controller to the VMware vCenter server. CISA said the actors also moved laterally from the web server using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys from the latter. The access to vCenter ultimately enabled the adversary to deploy BRICKSTORM after elevating their privileges. CrowdStrike, in its analysis of Warp Panda, said it has detected multiple intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities this year that have led to the deployment of BRICKSTORM. The group is believed to have been active since at least 2022. Warp Panda exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. Warp Panda demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks. Evidence shows the hacking group gained initial access to one entity in late 2023. Also deployed in the attacks alongside BRICKSTORM are two previously undocumented Golang implants, namely Junction and GuestConduit, on ESXi hosts and guest VMs, respectively. Junction acts as an HTTP server to listen for incoming requests and supports a wide range of capabilities to execute commands, proxy network traffic, and interact with guest VMs through VM sockets (VSOCK). GuestConduit, on the other hand, is a network traffic-tunneling implant that resides within a guest VM and establishes a VSOCK listener on port 5555. Its primary responsibility is to facilitate communication between guest VMs and hypervisors. Initial access methods involve the exploitation of internet-facing edge devices to pivot to vCenter environments, either using valid credentials or abusing vCenter vulnerabilities. Lateral movement is achieved by using SSH and the privileged vCenter management account "vpxuser." The hacking crew has also used the Secure File Transfer Protocol (SFTP) to move data between hosts. Some of the exploited vulnerabilities are listed below - CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-46805 (Ivanti Connect Secure), CVE-2024-38812 (VMware vCenter), CVE-2023-34048 (VMware vCenter), CVE-2021-22005 (VMware vCenter), CVE-2023-46747 (F5 BIG-IP). The entire modus operandi revolves around maintaining stealth by clearing logs, timestomping files, and creating rogue VMs that are shut down after use. BRICKSTORM, masquerading as benign vCenter processes, is employed to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs. Similar to details shared by CISA, CrowdStrike noted that the attackers used their access to vCenter servers to clone domain controller VMs, possibly in a bid to harvest the Active Directory Domain Services database. The threat actors have also been spotted accessing the email accounts of employees who work in areas that align with Chinese government interests. Warp Panda likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity. They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository. Another significant aspect of Warp Panda's activities is their focus on establishing persistence in cloud environments and accessing sensitive data. Characterizing it as a "cloud-conscious adversary," CrowdStrike said the attackers exploited their access to entities' Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange. In at least one incident, the hackers managed to get hold of user session tokens, likely by exfiltrating user browser files and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via a session replay attack and download SharePoint files related to the organization's network engineering and incident response teams. The attackers have also engaged in additional ways to set up persistence, such as by registering a new multi-factor authentication (MFA) device through an Authenticator app code after initially logging into a user account. In another intrusion, the Microsoft Graph API was used to enumerate service principals, applications, users, directory roles, and emails. The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

The China-linked threat actor PlushDaemon has been hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations since 2018. The group targets individuals and organizations in the U.S., China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia, deploying custom malware like the SlowStepper backdoor. The attackers compromise routers via known vulnerabilities or weak passwords, install EdgeStepper to redirect update traffic, and deliver the LittleDaemon malware downloader. This leads to the deployment of the SlowStepper backdoor, which enables extensive system control and data theft. EdgeStepper is a Go-based network backdoor that redirects all DNS queries to a malicious hijacking node, facilitating adversary-in-the-middle (AitM) attacks. In May 2024, PlushDaemon targeted a South Korean VPN provider named IPany. The group uses an ELF file named bioset, internally called dns_cheat_v2, to forward DNS traffic to a malicious DNS node. They deploy two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit for cyber espionage operations.

Open in new tab

Curly COMrades Exploits Hyper-V to Hide Malware in Linux VMs

Curly COMrades, a threat actor supporting Russia's geopolitical interests, has been observed abusing Microsoft's Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine and deploy malicious payloads. This method allows the malware to run outside the host operating system's visibility, bypassing endpoint security tools. The campaign, observed in July 2025, involved the deployment of CurlyShell and CurlyCat. The threat actors configured the virtual machine to use the Default Switch network adaptor in Hyper-V to ensure that the VM's traffic travels through the host's network stack using Hyper-V's internal NAT service, causing all malicious outbound communication to appear to originate from the legitimate host machine's IP address. The attackers first used the Windows Deployment Image Servicing and Management (DISM) command-line tool to enable the Hyper-V hypervisor, while disabling its graphical management interface, Hyper-V Manager. The group then downloaded a RAR archive masquerading as an MP4 video file and extracted its contents. The archive contained two VHDX and VMCX files corresponding to a pre-built Alpine Linux VM. Lastly, the threat actors used the Import-VM and Start-VM PowerShell cmdlets to import the virtual machine into Hyper-V and launch it with the name WSL, a deception tactic meant to give the impression that the Windows Subsystem for Linux was employed. The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation. The findings paint a picture of a threat actor that uses sophisticated methods to maintain long-term access in target networks, while leaving a minimal forensic footprint.

Open in new tab

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Open in new tab

Nation-State Actors Compromise Ribbon Communications Network

Ribbon Communications, a provider of backbone technology for communication networks, detected unauthorized access to its IT network in early September 2025. The intrusion, potentially initiated as early as December 2024, is attributed to a nation-state actor. The breach affected several customer files saved on two laptops outside the main network. Ribbon has notified impacted customers and does not expect material financial impact. The attack profile suggests Chinese involvement, consistent with known cyberespionage campaigns targeting telecommunications companies. Ribbon Communications has over 3,100 employees in 68 global offices and is working with third-party cybersecurity experts and federal law enforcement to investigate the breach. The company expects to incur additional costs in the fourth quarter of 2025 related to the breach investigation and network strengthening efforts. Ribbon's solutions are used by major telecommunications providers and critical infrastructure organizations, including the US Department of Defense and the City of Los Angeles. The company is based in Plano, Texas and specializes in communications software and IP optical networking technology for service providers and critical infrastructure organizations. The company was formed in 2017 following the merger of Sonus Networks and Genband. The attack on Ribbon follows several notable breaches of US firms, as well as telecom companies in other countries, in recent years. The most notable of these attacks were committed by Salt Typhoon, a Chinese nation-state threat group focused on cyberespionage.

Open in new tab

Herodotus Android malware evades detection with human-like typing

A new Android malware family, Herodotus, uses random typing delays to mimic human behavior and evade detection by security software. The malware is offered as a service to financially motivated cybercriminals and is currently targeting Italian and Brazilian users through SMS phishing. Herodotus bypasses Accessibility permission restrictions in Android 13 and later, allowing it to interact with the user interface and steal sensitive information. The malware includes a 'humanizer' mechanism that introduces random delays in text input to avoid detection by behavioral anti-fraud solutions. It also features a control panel for custom SMS texts, overlay pages for credential theft, and SMS stealing for two-factor authentication interception. Herodotus is spread by multiple threat actors, with seven distinct subdomains detected. The malware is under active development and targets financial organizations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges. It is designed to perform device takeover (DTO) attacks and can steal two-factor authentication (2FA) codes sent via SMS, intercept screen content, grab the lockscreen PIN or pattern, and install remote APK files.

Open in new tab