CISA and NSA Warn of BRICKSTORM Backdoor Targeting VMware vCenter and Windows Systems
CISA, NSA, and the Canadian Centre for Cyber Security have updated their advisory on BRICKSTORM, a sophisticated backdoor used by PRC state-sponsored actors to maintain persistent access to VMware vCenter and Windows environments.
CISA, the NSA, and the Canadian Centre for Cyber Security have issued an updated joint advisory on BRICKSTORM, a sophisticated malware backdoor linked to People's Republic of China (PRC) state-sponsored cyber actors. The advisory was updated on February 11, 2026, to include analysis, indicators of compromise (IOCs), and detection signatures for a newly identified variant of the malware.
What BRICKSTORM Does
BRICKSTORM is designed to provide long-term, stealthy persistent access to compromised infrastructure. The backdoor targets VMware vCenter, VMware ESXi, VMware Aria Automation Orchestrator, and Windows environments. Once inside, threat actors have used their vCenter management console access to:
- Steal cloned virtual machine snapshots for credential extraction
- Create hidden, rogue virtual machines on compromised hypervisor hosts
- Maintain covert command-and-control (C2) channels
For C2 communications, BRICKSTORM uses multiple layers of encryption — HTTPS, WebSockets, and nested Transport Layer Security (TLS) — to conceal its traffic and evade network-based detection.
Targets and Timeline
According to the advisory, PRC state-sponsored actors used BRICKSTORM for persistent access across victim organizations from at least April 2024 through at least September 3, 2025. Targeted sectors include Government Services and Facilities and Information Technology, suggesting an intelligence-gathering motivation rather than opportunistic financial crime.
Recommended Mitigations
CISA, NSA, and the Canadian Centre for Cyber Security urge organizations running VMware infrastructure and Windows environments to apply the IOCs and detection signatures published in the joint Malware Analysis Report. Key steps include auditing vCenter environments for unauthorized VM snapshots, reviewing access logs for anomalous management console activity, and applying all available VMware security patches.
The full Malware Analysis Report is available directly from CISA at ar25-338a on the CISA website.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.