---
title: "BRICKSTORM Malware: PRC Hackers Target Government & IT Sectors"
short_title: "PRC hackers deploy BRICKSTORM malware in IT sectors"
description: "CISA warns of BRICKSTORM malware used by PRC state-sponsored actors to infiltrate government and IT systems. Learn how to detect and mitigate this stealthy backdoor."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Malware]
tags: [brickstorm, malware, prc cyber threats, vmware vulnerabilities, cisa alerts]
score: 0.87
cve_ids: []
---
TL;DR
CISA has uncovered a sustained campaign by People’s Republic of China (PRC) state-sponsored cyber actors using the BRICKSTORM malware to infiltrate government and IT sectors. This advanced backdoor enables long-term persistence, stealthy command-and-control (C2) communications, and lateral movement within victim networks. Organizations are urged to scan for BRICKSTORM using CISA’s detection rules and implement mitigations to prevent compromise.
---
Main Content
PRC State-Sponsored Actors Exploit BRICKSTORM Malware for Espionage
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about ongoing cyber intrusions by PRC state-sponsored actors leveraging the BRICKSTORM malware. This sophisticated backdoor targets VMware vSphere and Windows environments, primarily affecting government services, facilities, and IT sectors. BRICKSTORM’s advanced capabilities allow threat actors to maintain long-term persistence, evade detection, and exfiltrate sensitive data.
Key Points
- Targeted Sectors: Government services, facilities, and IT sectors are primary victims.
- Malware Capabilities: BRICKSTORM enables stealthy access, persistence, and secure C2 communications using encryption layers (HTTPS, WebSockets, nested TLS) and DNS-over-HTTPS (DoH).
- Initial Access: Attackers exploit web servers in DMZs, move laterally to VMware vCenter servers, and deploy BRICKSTORM.
- Post-Compromise Activity: Threat actors steal legitimate credentials, clone VM snapshots, and create hidden rogue VMs to evade detection.
- Detection and Mitigation: CISA provides YARA and Sigma rules to scan for BRICKSTORM and recommends blocking unauthorized DoH traffic.
---
Technical Details
#### Malware Functionality
BRICKSTORM is a highly adaptive backdoor designed for long-term espionage. Its key features include:
- Multi-Layered Encryption: Uses HTTPS, WebSockets, and nested TLS to conceal C2 communications.
- DNS-over-HTTPS (DoH): Masks malicious traffic by encrypting DNS queries.
- SOCKS Proxy: Facilitates lateral movement and tunneling within victim networks.
- Self-Monitoring Persistence: Automatically reinstalls or restarts if disrupted, ensuring continuous operation.
#### Attack Vector
In a confirmed compromise, PRC actors:
1. Gained access to a web server in the victim’s DMZ.
2. Moved laterally to an internal VMware vCenter server.
3. Deployed BRICKSTORM to establish persistence and exfiltrate data.
#### Post-Exploitation Techniques
After gaining access, threat actors:
- Extracted credentials by performing system backups or capturing Active Directory database information.
- Stole cloned VM snapshots for credential extraction.
- Created hidden rogue VMs to evade detection.
---
Impact Assessment
The BRICKSTORM malware poses a severe threat to organizations due to its:
- Stealthy Persistence: Self-monitoring mechanisms ensure long-term access.
- Evasion Techniques: Encrypted communications and DoH make detection challenging.
- Targeted Sectors: Government and IT sectors face heightened risk of espionage and data theft.
- Adaptability: Multiple variants of BRICKSTORM have been identified, demonstrating its evolving nature.
---
Mitigation Steps
CISA recommends the following actions to detect and mitigate BRICKSTORM infections:
1. Scan for BRICKSTORM:
- Use CISA’s YARA and Sigma rules provided in the [Malware Analysis Report (MAR)](https://www.cisa.gov/news-events/analysis-reports/ar25-338a).
2. Block Unauthorized DoH Traffic:
- Restrict DNS-over-HTTPS (DoH) providers and monitor external DoH communications.
3. Monitor Network Edge Devices:
- Inventory all network edge devices and investigate suspicious connectivity.
4. Implement Network Segmentation:
- Enforce strict segmentation between DMZ and internal networks to limit lateral movement.
5. Report Suspicious Activity:
- If BRICKSTORM or related malware is detected, report to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.
---
Conclusion
The BRICKSTORM malware represents a significant escalation in cyber threats posed by PRC state-sponsored actors. Its advanced evasion techniques, persistence mechanisms, and targeting of critical sectors make it a top priority for cybersecurity teams. Organizations must proactively hunt for intrusions, implement CISA’s mitigation strategies, and stay vigilant against evolving threats.
For further details, refer to CISA’s [Malware Analysis Report (MAR) on BRICKSTORM](https://www.cisa.gov/news-events/analysis-reports/ar25-338a).
---
References
[^1]: Google Cloud Blog. "[Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies](https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement)". Retrieved 2025-01-24.
[^2]: NVISO. "[NVISO analyzes BRICKSTORM espionage backdoor](https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor)". Retrieved 2025-01-24.
[^3]: Google Cloud Blog. "[Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors](https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign)". Retrieved 2025-01-24.