On December 4, 2025, U.S. and Canadian cybersecurity agencies jointly issued a warning that hackers linked to China used Brickstorm malware to infiltrate and maintain long-term access to sensitive government and IT networks — raising serious concerns about potential sabotage and cyber-espionage.
This revelation marks a significant escalation in global cyber threats: the attackers not only stole credentials and sensitive data, but also embedded persistent “back doors” that could be used for disruption or sabotage — not just intelligence gathering.
In this article, we unpack what Brickstorm is, how the attack unfolded, why it matters, and what organizations around the world must do to defend themselves.
What is Brickstorm malware?
- Brickstorm is a sophisticated, state-grade backdoor — an advanced piece of malware that enables long-term, stealthy access to targeted IT environments.
- It is designed to work across multiple platforms and environments: the malware has been deployed against virtualization infrastructures (notably VMware vSphere / vCenter / ESXi systems), as well as on Windows servers, giving attackers flexibility to infiltrate both cloud-virtualized environments and traditional data centers.
- The attack chain using Brickstorm allows adversaries to: create hidden or rogue virtual machines (VMs), steal cloned VM snapshots to extract credentials, and compromise domain controllers and directory services. This way, they can obtain cryptographic keys, elevate privileges, and secure persistent control.
- Critically, Brickstorm has “self-healing” capabilities — if disrupted, it can automatically reinstall or restart itself. That makes it extremely resilient and difficult to eradicate once activated.
Thus, Brickstorm isn’t just a typical virus — it’s a full-featured advanced persistent threat (APT) backdoor tool, engineered for stealth, resilience, and long-term control.
The intrusion: scope, duration, and targets
A deep, long-term breach
According to the alert by Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (CCCS), the hackers gained access to one victim’s network in April 2024, and maintained control through at least September 3, 2025.
That equals — for at least one organization — more than 17 months of undetected presence. In other cases, CISA officials said the average duration of dwell time (the amount of time the attackers remained undetected) across multiple incidents was 393 days.
Who was targeted — and who might be at risk
So far, identified victims include “government services and IT-sector organizations.”
But the scope is likely broader: security researchers and agencies warn that Brickstorm may have been deployed against a wide variety of industries, including legal services, software-service providers, business-process outsourcers (BPOs), and technology companies.
Because many organizations worldwide rely on virtual machines, cloud infrastructure, or virtualization platforms such as VMware vSphere — and because Brickstorm can target these systems — the potential pool of at-risk organizations is very large.
Moreover, given the way the attackers reportedly moved laterally (e.g., stealing domain credentials, accessing directory services, cryptographic keys, virtual machines snapshots), the compromise of one organization could be used as a pivot point to infiltrate partner firms, clients, or supply-chain associates.
Undisclosed victims — danger of hidden scope
Importantly: the advisory did not publicly name the affected organizations or fully disclose the number of victims. CISA officials declined to reveal how many government bodies, critical infrastructure operators, or IT service providers were impacted.
Security analysts suggest this doesn’t mean the problem is small — on the contrary: “Dozens” of organizations in the U.S. alone are believed to have been affected, not counting downstream victims.
This hides the true scale of the attack, and makes it difficult for affected parties, customers, partners, or the public to assess the full damage.
Why Brickstorm matters — threat beyond espionage
Many cyberattacks linked to foreign state-sponsored actors are framed as espionage — harvesting sensitive data, stealing intellectual property, or gathering intelligence. But Brickstorm represents something more dangerous: persistent access and potential sabotage.
Persistent access + deep privilege = sabotage potential
Because the malware runs at virtualization-infrastructure layer and compromises domain controllers and VMs, attackers who control Brickstorm can control large swaths of a network. They might:
- disrupt operations by deleting or corrupting VMs or data
- disable or manipulate key services (e.g., authentication, directory services, VPNs)
- exfiltrate sensitive data silently over months or years
- stealthily deploy further malware or ransomware, or create hidden back doors for future use
According to the advisory, the intent may not just be data theft — but also enabling future disruption or sabotage when politically advantageous.
Supply-chain ripple effects
Because many organizations rely on cloud services, virtual machines, or outsourcing providers — and many smaller companies are downstream clients of larger IT firms — a compromise at one major service provider can yield access to dozens or hundreds of downstream organizations.
Security analysts warn that Brickstorm is particularly dangerous because it targets virtualization infrastructure and “edge devices,” often poorly monitored, poorly inventoried, or left out of conventional security scans.
Thus, Brickstorm doesn’t just threaten individual networks — it threatens entire ecosystems of interdependent companies, customers, and infrastructure clients.
Who discovered it — and how the world is reacting
Joint alert by major cyber agencies
The warning about Brickstorm was issued jointly by CISA, NSA, and the Canadian Centre for Cyber Security. This coordinated alert reflects the seriousness of the threat.
The advisory was based on analysis of eight distinct Brickstorm samples recovered from victim organizations.
In at least one confirmed incident, the attackers gained access in April 2024, infiltrated a VMware vCenter server, compromised directory services (domain controllers, ADFS), exported cryptographic keys, and kept persistent access through September 2025.
Other victims remain undisclosed — but security firms estimate “dozens” of organizations in the U.S. have been impacted, with many more downstream victims possible.
Response from attacked software vendor
Broadcom — the parent company of VMware — acknowledged the reports of Brickstorm-based attacks. Their statement emphasized that customers are responsible for maintaining up-to-date software patches and operational security, effectively warning users to patch and audit their environments.
Official denial from China
A spokesperson for the Embassy of the People’s Republic of China, Washington D.C. rejected the allegations, stating China does not encourage, support, or condone cyber attacks; the spokesperson called the claims “irresponsible assertions” and said no factual evidence was presented.
That denial follows a familiar pattern of state-cyber accusations — raising diplomatic tensions and uncertainty about attribution and evidence for outside observers.
Background: how Brickstorm fits into a broader pattern of cyber-espionage
The emergence of Brickstorm should not be viewed as an isolated case. Rather, it appears to be part of a sustained — and increasingly sophisticated — campaign of cyber-espionage and infrastructure infiltration by Chinese-linked threat actors.
- Over the past few years, there have been multiple warnings about Chinese-linked hacking groups targeting telecom networks, critical infrastructure, cloud providers, and service-provider ecosystems.
- For example, earlier in 2025, other campaigns exploiting zero-day vulnerabilities (such as in widely used collaboration platforms) were reported.
- Security researchers say what distinguishes the Brickstorm campaign is a more evolved tradecraft: these are not opportunistic attacks, but state-sponsored efforts investing significant resources to understand virtualization, identity fabrics, cloud dependencies, and supply-chain relationships.
- By compromising fundamental infrastructure (virtualization stacks, directory services, cloud-VM environments), attackers gain long-term, broad, stealthy surveillance — enabling both current espionage and future disruptive options.
In that sense, Brickstorm is a continuation — but also an escalation — of a long-term shift in cyber operational strategy: from opportunistic intrusions to deeply embedded, persistent infrastructure-level compromise.
What organizations should do now — urgent mitigation & defenses
In light of the Brickstorm revelation, cybersecurity experts recommend immediate, comprehensive action for organizations using virtualization platforms, cloud environments, or outsourced IT services. Key steps include:
- Inventory and audit all virtualization infrastructure — identify all VMware vSphere / vCenter / ESXi servers, as well as any Windows servers or VM hosts. Brickstorm targets these directly.
- Apply all pending patches and updates for VMware products and related software — many exposures rely on unpatched vulnerabilities or misconfigurations. Vendors, such as Broadcom, emphasize that patching and operational security are the customer’s responsibility.
- Use threat-detection tools and run forensic scans — agencies have released indicators of compromise (IOCs) associated with Brickstorm. Running scans might help detect latent backdoors before they’re exploited.
- Segment and isolate critical systems — reduce the risk of lateral movement by limiting administrative privileges, restricting network access between segments, and isolating sensitive infrastructure (e.g., domain controllers, virtualization hosts).
- Monitor and log directory services, VM creation/changes, and authentications — because Brickstorm attackers reportedly compromised domain controllers, exported cryptographic keys, and impersonated services, thorough logging and monitoring is crucial.
- Review supply-chain and partner risks — given that many targets may be third-party service providers or vendors supporting multiple clients, organizations should treat their vendors as potential risk points and require them to comply with strict security standards.
In short: treat this not just as a one-off “patch now” warning, but as a wake-up call for long-term security posture, supply-chain hygiene, and infrastructure hardening.
Broader implications — geopolitics, infrastructure security, and the new cyber-era
The Brickstorm disclosures have ramifications beyond individual organizations: they reflect a shifting landscape in global cyber competition and highlight growing vulnerabilities of modern tech infrastructure.
Nation-state cyber operations become infrastructure-level
Historically, cyber-espionage often meant hacking endpoints or stealing data from user machines, networks, or cloud services. With Brickstorm, attackers are compromising infrastructure layers — virtualization platforms, hypervisors, directory services — giving them deeper control over entire IT ecosystems.
That means in a conflict scenario, a state actor could — in principle — disrupt essential services, cripple governments, or disable critical industries, rather than merely spying.
Supply-chain and third-party risk rise in prominence
As organizations outsource more IT operations — using cloud providers, virtualization, third-party managed-service providers (MSPs), BPOs — supply-chain risk becomes not just a compliance issue, but a security crisis. A single exploited vendor can open backdoors into dozens or hundreds of client networks. The Brickstorm campaign seems to exploit exactly this dynamic.
Need for global collaboration, transparency, and defensive readiness
The joint advisory by U.S. and Canadian agencies underscores the importance of international cooperation when dealing with global cyber threats. But the fact that victims remain unnamed — and that detection often lags infiltration by months or years — shows how far defense strategies must evolve.
Cybersecurity must become a continuous, proactive process, not reactive. Organizations need to assume that intrusion may already have occurred, and invest in detection, isolation, and hardening — not just patching.
Diplomatic and geopolitical fallout
Attribution of such attacks carries diplomatic weight. The public denial by the Chinese embassy is typical, but such revelations add to deepening mistrust between nations. If further investigations reveal sensitive targets (governments, infrastructure, telecoms), these events may influence international relations, trade, and national security postures.
Conclusion: Brickstorm is a red flag for a new era of cyber threats
The discovery and public disclosure of Brickstorm malware — used by Chinese-linked hackers to infiltrate government and IT networks in the U.S. and Canada — should serve as a wake-up call for organizations worldwide. This isn’t just another phishing scam or ransomware wave. It’s an infrastructure-level, stealthy, persistent backdoor with real potential for sabotage, data theft, or disruption.
Organizations using virtualization, cloud, or third-party IT services — especially those in critical sectors like government, telecom, legal, and IT services — should immediately review their security posture, apply patches, audit their infrastructure, scan for threats, and strengthen network segmentation and monitoring.
At the same time, the global community must recognize that cyber-conflict is evolving. The threats are no longer limited to individual systems — they target the very backbone of modern IT infrastructure. As the digital world becomes more interconnected and more dependent on cloud and virtualization, such threats will only grow. Vigilance, cooperation, and robust cybersecurity hygiene are no longer optional — they are essential.
Visit Lot Of Bits for more tech updates.
