CybersecurityCybersecurity Briefing — CISA NSA Joint Advisory on BRICKSTORM Malware Campaign
CISA, NSA, and Canadian Cyber Centre issued joint advisory on BRICKSTORM malware used by Chinese state-sponsored actors targeting VMware vSphere and Windows systems. Attackers maintained undetected access for up to 17 months using encrypted DNS-over-HTTPS communications. Organizations should implement detection rules and review critical infrastructure for compromise indicators.
Executive briefing: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security released a joint advisory in December 2025 detailing the BRICKSTORM malware campaign attributed to Chinese state-sponsored threat actors. The campaign targeted government agencies, critical infrastructure operators, and technology organizations across North America and Europe, with attackers maintaining persistent undetected access for periods extending up to 17 months. Organizations operating VMware vSphere environments and Windows-based critical systems should immediately implement the advisory's detection rules and conduct forensic analysis for potential compromise.
Campaign overview and attribution
BRICKSTORM represents a sophisticated multi-stage malware framework designed for long-term persistent access and data exfiltration from high-value targets. Security researchers and government intelligence agencies attribute the campaign to threat actors associated with the People's Republic of China, specifically groups linked to the Ministry of State Security. The campaign demonstrates advanced tradecraft including zero-day exploitation, living-off-the-land techniques, and sophisticated evasion capabilities that enabled prolonged dwell times.
Initial access vectors identified in the campaign include exploitation of vulnerabilities in internet-facing VMware vCenter Server instances and targeted spear-phishing campaigns delivering weaponized documents. Attackers demonstrated ability to chain multiple vulnerabilities for privilege escalation and lateral movement within compromised networks. The extended undetected presence across multiple victim organizations indicates sophisticated operational security and defensive evasion capabilities that challenge conventional detection approaches.
The advisory notes that victim organizations include government agencies responsible for national security functions, defense contractors, telecommunications providers, and energy sector entities. The targeting pattern suggests strategic intelligence collection objectives rather than financially motivated cybercrime. Organizations in these sectors should treat this advisory as directly relevant to their security posture.
Technical analysis of BRICKSTORM capabilities
BRICKSTORM malware architecture consists of multiple modular components enabling comprehensive system compromise and persistent access. The primary implant establishes encrypted command and control communications using DNS-over-HTTPS (DoH) protocols, tunneling malicious traffic through legitimate encrypted DNS services to evade network monitoring and detection. This technique makes network-based detection particularly challenging as malicious traffic appears indistinguishable from normal encrypted DNS queries.
The malware framework includes capabilities for credential harvesting, local and domain privilege escalation, lateral movement through compromised networks, data collection and staging, and secure exfiltration. Memory-resident components minimize forensic artifacts on disk, complicating incident response and attribution efforts. The modular architecture allows threat actors to deploy additional capabilities as operational requirements evolve.
VMware vSphere-specific components target the hypervisor layer, enabling attackers to access virtual machine disk files, capture memory contents, and intercept network traffic without visibility to guest operating systems. This hypervisor-level access provides attackers comprehensive visibility into virtualized infrastructure while remaining largely invisible to conventional endpoint detection solutions deployed within virtual machines.
Windows-specific implants leverage legitimate system utilities and signed drivers for persistence and privilege escalation. Living-off-the-land techniques abuse PowerShell, WMI, and Windows Management Instrumentation for command execution, reducing reliance on custom malware that might trigger detection. Registry modifications and scheduled tasks provide persistence mechanisms that survive system reboots.
Detection and hunting guidance
The joint advisory provides detailed indicators of compromise (IOCs) and detection signatures organizations should deploy across their security monitoring infrastructure. Network detection opportunities include monitoring for anomalous DNS-over-HTTPS traffic patterns, particularly to DoH providers not normally used by the organization. While encrypted DNS traffic cannot be inspected for content, volume patterns, timing, and destination analysis can identify suspicious activity.
Endpoint detection signatures target specific file hashes, registry modifications, scheduled task configurations, and process execution patterns associated with BRICKSTORM components. Organizations should update endpoint detection and response (EDR) solutions with the advisory's detection rules and configure alerting for identified indicators. Security information and event management (SIEM) correlation rules should aggregate endpoint and network indicators for comprehensive campaign detection.
VMware vSphere environments require specialized monitoring approaches. Administrators should review hypervisor logs for unauthorized access to virtual machine files, unusual API calls to vCenter Server, and modifications to virtual switch configurations. vSphere Audit and Compliance Automation logging should capture administrative actions for retrospective analysis. Consider deploying hypervisor-aware security solutions that can detect threats at the virtualization layer.
Behavioral detection approaches complement signature-based detection for identifying BRICKSTORM variants or related campaigns. Monitor for lateral movement patterns including remote service creation, WMI remote execution, and anomalous network connections from compromised systems. Credential access detection should identify LSASS memory access, credential dumping tools, and Kerberos ticket manipulation.
Incident response and forensic guidance
Organizations that identify BRICKSTORM indicators or related suspicious activity should initiate incident response procedures with appropriate urgency. Given the campaign's state-sponsored attribution and targeting of critical infrastructure, incident response should involve relevant government authorities including CISA, sector-specific agencies, and law enforcement as appropriate.
Forensic analysis should prioritize volatile evidence collection before remediation actions that might destroy indicators. Memory acquisition from potentially compromised systems can reveal memory-resident malware components and active network connections. Disk forensics should examine persistence mechanisms, staging directories, and exfiltration artifacts even though BRICKSTORM minimizes disk-resident components.
Network traffic analysis should examine historical traffic logs for command and control communications, lateral movement patterns, and data exfiltration. DNS query logs are particularly valuable given the campaign's use of DNS-over-HTTPS for C2. Organizations should coordinate with network service providers to obtain historical traffic data that may no longer be available from internal logging.
Scope assessment must determine the full extent of compromise before remediation. BRICKSTORM's long dwell times and sophisticated lateral movement capabilities mean initial access vectors may be far removed from currently active compromised systems. Complete domain controller and Active Directory analysis is essential to identify potential persistence through privileged accounts or authentication infrastructure compromise.
Remediation and hardening recommendations
Remediation of BRICKSTORM compromise requires comprehensive approach addressing all identified attacker footholds. Simple reimaging of identified compromised systems is insufficient if attackers have established persistence through domain administrator accounts, Group Policy, or authentication infrastructure. Remediation planning should anticipate that sophisticated attackers may have capabilities for re-establishing access if containment is incomplete.
VMware vSphere environments require particular attention during remediation. Consider whether hypervisor-level compromise might have enabled access to sensitive data across multiple virtual machines. Validate integrity of hypervisor configurations, virtual switch settings, and storage access controls. Review whether attackers could have captured virtual machine disk files or memory snapshots containing sensitive data.
Credential rotation should encompass all potentially compromised accounts including service accounts, administrative accounts, and accounts with elevated privileges. Domain-wide password resets may be necessary for organizations with evidence of Active Directory compromise. Consider krbtgt account password rotation following Microsoft guidance if Kerberos ticket forgery is suspected.
Long-term hardening should address the attack vectors and weaknesses BRICKSTORM exploited. Patch VMware vCenter Server and ESXi hosts with latest security updates. Implement network segmentation limiting administrative access to virtualization infrastructure. Deploy application allowlisting on critical systems to prevent unauthorized code execution. Enhance monitoring for the specific techniques employed by this campaign.
Protective measures for uncompromised organizations
Organizations without current evidence of BRICKSTORM compromise should implement protective measures to reduce exploitation risk:
VMware infrastructure protection: Ensure vCenter Server and ESXi hosts are patched against known vulnerabilities. Restrict vCenter management access to dedicated management networks. Implement strong authentication including multi-factor authentication for administrative access. Enable comprehensive audit logging and forward logs to security monitoring platforms.
Network architecture review: Evaluate network segmentation to limit lateral movement opportunities. Implement zero trust network access principles that require continuous verification rather than implicit trust based on network location. Deploy internal network monitoring capable of detecting lateral movement patterns.
DNS security: Consider organizational policy on DNS-over-HTTPS usage. If DoH is permitted, implement monitoring for connections to unauthorized DoH providers. DNS query logging provides valuable visibility for threat hunting even when encrypted protocols limit content inspection.
Endpoint hardening: Deploy application allowlisting on critical systems. Enable PowerShell script block logging and module logging. Configure Windows Event Forwarding to centralize security-relevant logs. Ensure EDR solutions cover all critical systems and are configured with current detection content.
Intelligence sharing and coordination
The joint advisory emphasizes the importance of information sharing between government agencies, critical infrastructure operators, and the private sector. Organizations that identify BRICKSTORM activity or related indicators should report findings to CISA through established reporting channels. Timely sharing of new indicators enables rapid deployment of detection capabilities across the defender community.
Sector-specific Information Sharing and Analysis Centers (ISACs) provide forums for sharing threat intelligence with peer organizations in similar industries. Organizations in targeted sectors should ensure active ISAC participation and monitor shared intelligence for relevant indicators and TTPs. Cross-sector coordination through CISA enables broader visibility into campaigns targeting multiple industry verticals.
International coordination between US, Canadian, and other allied cyber agencies demonstrates the global scope of the threat and the importance of coordinated defensive response. Organizations with international operations should engage with relevant national cyber authorities in each jurisdiction and implement detection guidance consistently across global infrastructure.
Recommended actions for the next 30 days
- Deploy BRICKSTORM detection signatures across endpoint detection, network monitoring, and SIEM platforms using IOCs from the joint advisory.
- Conduct threat hunting activities targeting BRICKSTORM behavioral indicators including DNS-over-HTTPS anomalies and VMware infrastructure access patterns.
- Review VMware vCenter Server and ESXi hosts for evidence of unauthorized access, configuration changes, or suspicious administrative activity.
- Validate patch status of internet-facing VMware infrastructure and prioritize remediation of any unpatched vulnerabilities.
- Implement enhanced monitoring for lateral movement techniques including remote service creation, WMI remote execution, and credential access patterns.
- Review network segmentation for virtualization management infrastructure and implement additional restrictions where gaps exist.
- Establish or verify incident reporting channels to CISA and relevant sector-specific agencies for expedited reporting if indicators are identified.
- Brief executive leadership and board risk committees on the threat and organizational exposure assessment.
Zeph Tech analysis
The BRICKSTORM campaign exemplifies the sophisticated persistent threat landscape facing critical infrastructure and government organizations. The 17-month undetected dwell times reported across multiple victim organizations underscore the challenge of detecting well-resourced adversaries employing advanced tradecraft. Organizations should not assume that lack of prior detection indicates lack of compromise; the advisory's hunting guidance should be applied retrospectively to identify potential historical activity.
The campaign's targeting of VMware virtualization infrastructure reflects adversary recognition that hypervisor compromise provides exceptional access while evading conventional endpoint detection. Organizations heavily reliant on virtualized infrastructure should evaluate whether their security monitoring adequately covers the hypervisor layer or focuses exclusively on guest operating systems. Security architecture reviews should assess whether virtualization concentrates risk in ways that warrant additional protective measures.
DNS-over-HTTPS abuse for command and control communications presents detection challenges that organizations should address through architectural and monitoring approaches. While DoH provides legitimate privacy benefits, unmanaged DoH usage creates blind spots for network security monitoring. Organizations should establish clear policy on DoH usage and implement technical controls that provide visibility without compromising legitimate privacy objectives.
The joint agency response demonstrates effective coordination between US and Canadian cyber authorities in addressing transnational threats. Organizations should leverage government resources including CISA's free vulnerability scanning, protective DNS services, and incident response assistance. Engaging with government partners strengthens both organizational and collective defense capabilities.
Zeph Tech will continue monitoring developments related to BRICKSTORM and related campaigns, providing updated guidance as new detection capabilities and remediation approaches become available.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.