The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has once again updated its Brickstorm Backdoor Malware Analysis Report, developed in coordination with the National Security Agency and the Canadian Centre for Cyber Security. The revised report adds technical analysis and detection signatures for a newly identified Brickstorm variant that leverages [dot]NET Native Ahead-of-Time compilation, increasing its versatility and complicating detection efforts. The update delves into the variant’s functionality and offers new YARA rules to support detection.
Like earlier Brickstorm samples, the new variant includes initiation routines and secure command-and-control functionality that rely on multiple layers of encryption to conceal communications. However, unlike prior versions, it lacks built-in self-monitoring mechanisms designed to maintain persistence on compromised systems. CISA urges organizations using VMware vSphere, especially those in the government services and facilities and IT sectors, to review the updated MAR and implement mitigation measures.
Brickstorm is a custom Executable and Linkable Format backdoor written in Go or Rust. Of the originally analyzed samples, eight were Go-based, while two of the three newly identified samples in the Dec. 19, 2025, update are Rust-based. Although the samples vary in functionality, all provide threat actors with stealthy access, including capabilities for initiation, persistence, and secure command and control. While the analyzed samples targeted VMware vSphere environments, reporting indicates that Windows variants also exist.
Brickstorm initiates by conducting system checks and maintains persistence through a self-monitoring function that automatically reinstalls or restarts the malware if it is disrupted. For command and control, it employs multiple layers of encryption, including HTTPS, WebSockets, and nested TLS, to conceal communications with its C2 server. The malware also uses DNS-over-HTTPS and mimics legitimate web server traffic to evade detection. Once active, it grants attackers interactive shell access, enabling them to browse, upload, download, create, delete, and manipulate files. Some variants also function as a SOCKS proxy, supporting lateral movement and facilitating the compromise of additional systems.
CISA analyzed 12 Brickstorm samples obtained from victim organizations, including one where the agency conducted an incident response engagement. CISA initially examined eight samples, added analysis of three more in an update last December, and included one additional sample in the latest update.
At the affected organization where CISA led incident response efforts, PRC state-sponsored cyber actors gained long-term persistent access to the internal network in April 2024 and deployed Brickstorm malware to an internal VMware vCenter server. The actors also accessed two domain controllers and an Active Directory Federation Services server, successfully compromising the ADFS server and exporting cryptographic keys. Brickstorm was used to maintain persistent access from at least April 2024 through at least Sept. 3, 2025.
Having analyzed one additional BRICKSTORM sample (Sample 12) obtained from a trusted third party, CISA said that this sample is a different variant from the other samples. “Sample 12 is a new variant of BRICKSTORM created from a .NET application using native ahead-of-time (AOT) compilation. Leveraging native AOT compilation enhances the variant’s versatility and evasion capabilities because the compiled application is a standalone binary that does not require .NET runtime to run. All its dependencies (including runtime) are linked together, and it can run on all compatible systems, and the binary blends in better with legitimate software than .NET executables.”
The post added that, like the other Brickstorm samples, the variant has initiation and secure C2 capabilities. These capabilities use multiple layers of encryption, including HTTPS, WebSockets, and nested TLS, to hide communications with the cyber actors’ C2 domain. However, unlike the other samples, this variant lacks built-in self-monitoring capabilities designed for persistence.
Upon execution, CISA said that Brickstorm Sample 12 performs a series of environmental checks, including loading system libraries, configuring memory safety, and managing threads and signals. “Then, it checks and configures environment variables specific to the compromised environment. Unlike the other samples that this MAR analyzes, Sample 12 does not copy itself. Instead, it spawns a new child process that runs in the background, making it harder to detect.”
Sample 12 checks the DAEMONIZED environment variable to determine whether it is running as a child process and therefore operating in its intended state. If the variable is set, indicating it is already running as a child process, it proceeds with execution. If the variable is not set, meaning it is not yet running in its intended state, the malware verifies its current execution path, creates a new background session, spawns a child process to continue execution while the original parent process terminates, and renames the child process before re-executing itself under that name. The name ‘sqiud’ is hard-coded and intentionally mimics the legitimate squid proxy service with a deliberate misspelling.
After re-executing, Sample 12 attempts to open /dev/null and redirects the child process’s standard input, output, and error streams to it, preventing terminal output and avoiding prompts for user input.
Sample 12 establishes a highly obfuscated command-and-control channel by connecting to a hard-coded IP address over port 443, encrypting traffic to blend in with normal web activity. It upgrades the connection from HTTPS to WebSockets, layers additional TLS encryption inside the session, and authenticates using a hard-coded key, marking the first observed reuse of infrastructure in this campaign.
Once authenticated, the malware creates a multiplexed, encrypted channel that supports multiple simultaneous streams, allowing threat actors to execute commands, manage files, and relay traffic through SOCKS and HTTP/HTTPS proxy functionality.
CISA, the NSA, and the Canadian Centre for Cyber Security are urging organizations to implement targeted mitigations to strengthen defenses in response to the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals 2.0 (CPG 2.0) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures.
CISA urged organizations to upgrade VMware vSphere servers to the latest version in line with CPG 2.B. It also advised hardening VMware vSphere environments by following VMware’s published guidance on GitHub and recommended reviewing additional resources on logging and system hardening, including the report ‘From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944,’ aligned with CPGs.
Organizations are advised to take inventory of all network edge devices in accordance with CPGs and monitor them for suspicious outbound network connections. Proper network segmentation should be enforced to restrict traffic flowing from the DMZ to the internal network, consistent with CPGs. Remote Desktop Protocol and SMB traffic from the DMZ to the internal environment should be disabled.
CISA further recommended applying the principle of least privilege by limiting service accounts to only the permissions necessary for their function. Monitoring of service accounts should be increased, particularly because these accounts often have elevated privileges and predictable activity patterns, such as scheduled scans at fixed times. Finally, organizations should block unauthorized DNS over HTTPS providers and external DoH traffic to reduce the risk of unmonitored communications.
