CISA, NSA, and Canadian Cyber Centre Issue Joint Advisory on 'BRICKSTORM' Malware Used by PRC State-Sponsored Actors

Executive Summary

On December 4, 2025, a coalition of top Western cybersecurity agencies—the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security—released a joint advisory and detailed malware analysis report on a sophisticated backdoor dubbed BRICKSTORM. The report attributes the malware to People's Republic of China (PRC) state-sponsored threat actors. These actors are leveraging BRICKSTORM to establish long-term, persistent access within compromised networks, with a primary focus on Government Services and Information Technology sectors. The malware is notable for its advanced stealth capabilities, including the use of DNS-over-HTTPS (DoH) for C2 communications and a self-healing mechanism to ensure persistence. The advisory provides indicators of compromise (IOCs) and TTPs to help organizations hunt for and defend against this threat.

Threat Overview

BRICKSTORM is a versatile and stealthy backdoor engineered for both VMware vSphere and Microsoft Windows environments. Its core purpose is to provide the threat actor with persistent, covert access to a target's network. The PRC state-sponsored actors behind this campaign have demonstrated a patient, multi-stage attack methodology.

The typical attack chain observed by CISA involves:

1. Initial Access: Gaining a foothold on a public-facing web server, often within a DMZ, through the deployment of a web shell.
2. Credential Access & Discovery: Stealing service account credentials from the compromised web server.
3. Lateral Movement: Using the stolen credentials to move laterally into the internal network via protocols like Remote Desktop Protocol (RDP).
4. Privilege Escalation & Persistence: Compromising a high-value target like a VMware vCenter server to deploy the BRICKSTORM malware, and then using that access to compromise domain controllers and ADFS servers.
5. Collection: Exfiltrating sensitive data, such as cryptographic keys from an ADFS server, to enable further access and impersonation.

This methodical approach allows the actors to embed themselves deep within a network, often going undetected for long periods.

Technical Analysis

The BRICKSTORM malware exhibits several advanced technical features designed for stealth and resilience:

• Encrypted C2 Communications: It uses multiple layers of encryption to hide its command-and-control traffic. This includes standard HTTPS and WebSockets, often with an additional, nested layer of TLS encryption.
• DNS-over-HTTPS (DoH): To further obfuscate C2 communications, BRICKSTORM uses DoH. This technique tunnels DNS queries through encrypted HTTPS traffic, making it difficult for network defenders to block C2 domains or identify malicious traffic using traditional DNS monitoring. This aligns with MITRE ATT&CK technique T1071.004 - Application Layer Protocol: DNS-over-HTTPS.
• SOCKS Proxy Functionality: Certain variants of the malware can act as a SOCKS proxy, enabling the attacker to tunnel other traffic through the compromised host. This is a common method for lateral movement and accessing internal resources, as described in T1090 - Proxy.
• Self-Healing Persistence: The malware includes a self-monitoring function. If the backdoor process is terminated or its persistence mechanism is removed, it can automatically reinstall and restart itself, making remediation more challenging. This corresponds to T1543 - Create or Modify System Process.

Impact Assessment

A successful BRICKSTORM intrusion can have severe consequences for an organization. The primary impact is the establishment of a long-term, persistent foothold by a sophisticated state-sponsored actor. This access can be used for:

• Espionage: Ongoing theft of sensitive government, corporate, or personal data.
• Sabotage: In critical infrastructure environments, this level of access could potentially be used to disrupt or disable operational technology (OT) systems.
• Supply Chain Attacks: By compromising IT service providers, the actors can pivot to attack their downstream customers.
• Credential Theft: Compromising domain controllers and ADFS servers allows for widespread credential harvesting, which can be used to compromise the entire enterprise and associated cloud environments.

The targeting of VMware vCenter is particularly damaging, as it provides the attackers with control over the virtualized infrastructure, allowing them to create, modify, or delete virtual machines at will.

Detection & Response

• Network Monitoring: Monitor for DNS-over-HTTPS (DoH) traffic to non-standard resolvers. While legitimate services use DoH, traffic from servers (especially domain controllers or vCenter) to unknown DoH providers is highly suspicious. D3FEND's D3-NTA: Network Traffic Analysis is essential.
• Log Analysis: Correlate web server logs with authentication logs. Look for RDP connections originating from DMZ web servers to internal assets like domain controllers, which is a major red flag. Analyze Windows Event Logs for signs of credential theft (Event ID 4624 with Logon Type 3) and service creation (Event ID 7045).
• VMware vSphere Monitoring: Enable and monitor vCenter logs for unusual API calls, VM modifications, or logins from unexpected sources. D3FEND's D3-LAM: Local Account Monitoring should be applied to vCenter accounts.
• Threat Hunting: Proactively hunt for the IOCs provided in the CISA advisory (AR25-339A). Search for the file names, hashes, and C2 domains associated with BRICKSTORM.

Mitigation

1. Harden Internet-Facing Systems: Apply patches for all public-facing applications and systems. Implement a WAF to protect against web shell deployment. Restrict access to management interfaces.
2. Network Segmentation: Segment networks to prevent easy lateral movement from the DMZ to the internal corporate network. RDP access from the DMZ to domain controllers should be strictly prohibited.
3. Privileged Access Management: Tightly control access to critical systems like domain controllers and vCenter. Implement multi-factor authentication (MFA) for all administrative accounts.
4. Limit Outbound Traffic: Implement an egress filtering policy to block outbound connections from servers to the internet on all but explicitly allowed ports and destinations. This can disrupt C2 communications. This is an application of D3FEND's D3-OTF: Outbound Traffic Filtering.