What happened
The BRICKSTORM malware report describes a backdoor used in attacks targeting VMware vSphere environments, including vCenter servers and ESXi hosts, to maintain long-term stealthy access. CISA links the activity to Chinese state-sponsored operations and notes the analysis covers eleven samples, including variants built in Go and newer versions in Rust. The report describes initial access via compromised web servers in demilitarized zones, followed by lateral movement using stolen service account credentials and Remote Desktop Protocol to reach VMware vCenter. Persistence is maintained by installing into system directories (such as /etc/sysconfig/) and modifying initialization scripts so the backdoor runs at startup, with self-monitoring that reinstalls the malware if it is removed. For command-and-control, BRICKSTORM uses DNS-over-HTTPS through public resolvers operated by Cloudflare, Google, and Quad9, and can upgrade to encrypted WebSocket sessions to support interactive control and SOCKS proxying.
Who is affected
Organizations running VMware vSphere—especially environments hosting vCenter and ESXi in production—are directly impacted by the described tradecraft. Government services and IT-sector environments are highlighted as higher risk. Exposure is direct for compromised virtualization management layers, with indirect impact to workloads hosted on those platforms.
Why CISOs should care
Compromise of the virtualization control plane can enable broad lateral movement, stealthy persistence, and high-impact actions such as cloning virtual machines or accessing sensitive infrastructure services. DNS-over-HTTPS command channels can blend into normal encrypted traffic, increasing detection difficulty and elevating the likelihood of prolonged, hard-to-eradicate access.
3 practical actions
-
Protect the vCenter control plane: Limit administrative access paths, enforce strong credential hygiene for service accounts, and segment management networks from user and DMZ tiers.
-
Reduce covert C2 pathways: Restrict or monitor DNS-over-HTTPS usage and flag unexpected encrypted resolver traffic to Cloudflare, Google, or Quad9 from sensitive segments.
-
Operationalize signature-based detection: Deploy the published YARA/Sigma detections in your tooling and prioritize triage for any matches in vCenter/ESXi-adjacent systems.