CISA, NSA, and the Canadian Centre for Cyber Security released a joint Malware Analysis Report on December 4, 2025, warning of BRICKSTORM, a sophisticated Go-based ELF backdoor used by PRC state-sponsored actors for long-term persistence on VMware vSphere systems, such as vCenter and ESXi, as well as Windows environments.
This malware targets government services and the IT sector, enabling stealthy access via encrypted C2 channels, file manipulation, and SOCKS proxies.
Organizations must hunt for the eight analyzed samples using the provided IOCs and rules to detect and report infections immediately.
BRICKSTORM Technical Capabilities
BRICKSTORM ensures persistence by performing initiation checks against environment variables and file paths, copying itself to VMware directories such as/opt/vmware/sbin/ or /usr/java/jre-vmware/bin/, while modifying the PATH variable (T1574.007).
A self-watching function monitors its process; if disrupted, it reinstalls from /etc/sysconfig/ and restarts.
For C2, it resolves redacted domains via DNS-over-HTTPS (DoH) to public resolvers like Cloudflare (1.1.1.1) and Google (8.8.8.8), then upgrades HTTPS to nested TLS-encrypted WebSockets using smux/yamux multiplexing.
Handlers provide complete control: SOCKS proxying (T1090.001), mimicking a web server to generate legitimate traffic for file ops (list-dir, get-file, put-file, MD5 checks), and shell execution via pseudo-terminals.
Samples 7-8 use VSOCK for inter-VM communication in virtualized setups, generating in-memory self-signed RSA certs for encryption.
.webp)
Delivery involves lateral movement via RDP/SMB with service accounts, web shells (T1505.003), NTDS.dit dumping (T1003.003), and sudo privilege escalation (T1548.003).
Key sample hashes include:
| Sample | SHA256 | Filename Example |
|---|---|---|
| 1 | aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38 | vmsrc[ file:1] |
| 2 | 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf | vnetd[ file:1] |
| 3 | 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d | if-uppaste.txt |
| 7 | 39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46 | N/Apaste.txt |
Detection and Response Guidance
Deploy YARA rules detecting strings like “main.startNew” and DoH endpoints, plus Sigma rules for vCenter logs scanning “clone”, “vami-lighttp”, and API calls.
Use tools like Google Mandiant’s BRICKSTORM Scanner or CrowdStrike’s VirtualGHOST for hidden VMs.
Mitigate by updating VMware vSphere, segmenting DMZ/internal networks, disabling RDP/SMB externally, blocking DoH, and monitoring service accounts per CPGs.
Report detections to CISA (1-844-Say-CISA) or Cyber Centre; full IOCs in MAR-251165.c1.v1.CLEAR.
