The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned network defenders of Chinese hackers backdooring VMware vSphere servers with Brickstorm malware.

In a joint malware analysis report with the National Security Agency (NSA) and Canada’s Cyber Security Centre, CISA says it analyzed eight Brickstorm malware samples.

These samples were discovered on networks belonging to victim organizations, where the attackers specifically targeted VMware vSphere servers to create hidden rogue virtual machines to evade detection and steal cloned virtual machine snapshots for further credential theft.

As noted in the advisory, Brickstorm uses multiple layers of encryption, including HTTPS, WebSockets, and nested TLS to secure communication channels, a SOCKS proxy for tunneling and lateral movement within compromised networks, and DNS-over-HTTPS (DoH) for added concealment. To maintain persistence, Brickstorm also includes a self-monitoring function that automatically reinstalls or restarts the malware if interrupted.

While investigating one of the incidents, CISA found that Chinese hackers compromised a web server in an organization’s demilitarized zone (DMZ) in April 2024, then moved laterally to an internal VMware vCenter server and deployed malware.

The attackers also hacked two domain controllers on the victim’s network and exported cryptographic keys after compromising an Active Directory Federation Services (ADFS) server. The Brickstorm implant allowed them to maintain access to the breached systems from at least April 2024 through September 2025.

After obtaining system access, they’ve also been observed capturing Active Directory database information and performing system backups to steal legitimate credentials and other sensitive data.

​To detect the attackers’ presence on their networks and block potential attacks, CISA advises defenders (especially those working for critical infrastructure and government organizations) to scan for Brickstorm backdoor activity using agency-created YARA and Sigma rules, and block unauthorized DNS-over-HTTPS providers and external traffic.

They should also take inventory of all network edge devices to monitor for suspicious activity and segment the network to restrict traffic from demilitarized zones to internal networks.

“CISA, NSA, and Cyber Centre urge organizations to use the indicators of compromise (IOCs) and detection signatures in this Malware Analysis Report to identify BRICKSTORM malware samples,” the joint advisory urges. “If BRICKSTORM, similar malware, or potentially related activity is detected, CISA and NSA urge organizations to report the activity as required by law and applicable policies.”

Today, cybersecurity firm CrowdStrike also linked Brickstorm malware attacks targeting VMware vCenter servers on the networks of U.S. legal, technology, and manufacturing companies throughout 2025 to a Chinese hacking group it tracks as Warp Panda. CrowdStrike observed the same threat group deploying previously unknown Junction and GuestConduit malware implants in VMware ESXi environments.

The joint advisory comes on the heels of a Google Threat Intelligence Group (GTIG) report published in September that described how suspected Chinese hackers used the Brickstorm malware (first documented by Google subsidiary Mandiant in April 2024) to gain long-term persistence on the networks of multiple U.S. organizations in the technology and legal sectors.

Google security researchers linked these attacks to the UNC5221 malicious activity cluster, known for exploiting Ivanti zero-days to target government agencies with custom Spawnant and Zipline malware.