The U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Canadian Centre for Cyber Security have updated the Malware Analysis Report on the Brickstorm backdoor, adding new indicators of compromise and detection signatures for three additional Brickstorm samples. The update details newly identified variants, including Rust-based samples, which exhibit advanced persistence and defense evasion techniques such as operating as background services, along with more robust command and control functionality using encrypted WebSocket connections.
In a second December advisory, the agencies introduced two new YARA-based detection signatures, providing organizations with an improved capability to detect and track Brickstorm-related activity. It added indicators of compromise and detection signatures for three additional Brickstorm samples. Organizations are advised to use the published indicators and detection signatures to identify potential BRICKSTORM infections. If Brickstorm, similar malware, or related suspicious activity is detected, the incident should be reported immediately to CISA, the Cyber Centre, or other required authorities.
CISA analyzed 11 Brickstorm samples obtained from victim organizations, including an organization where CISA conducted an incident response engagement. The agency initially analyzed eight samples, and the Dec. 19, 2025, update includes analysis of three additional samples.
At the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded Brickstorm malware to an internal VMware vCenter server. They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server. They compromised the ADFS server and exported cryptographic keys. These hackers used Brickstorm for persistent access from at least April 2024 through at least Sept. 3, 2025.
The advisory said Brickstorm is a custom Executable and Linkable Format ELF backdoor written in Go or Rust, with eight of the originally analyzed samples built in Go and two of the three newly added samples from the Dec. 19, 2025, update written in Rust. The analyzed samples differ in function, but all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2).
Although the analyzed samples were for VMware vSphere environments, there is also reporting about Windows versions. Brickstorm initiates by running checks and maintains persistence by using a self-watching function and automatically reinstalls or restarts if disrupted.
The advisory identified that all analyzed samples enable cyber actors to maintain stealthy access and provide capabilities for environment configuration (initiation), persistence, and secure C2. “While initiation and persistence functions are similar across the samples, the secure C2 function varies. Brickstorm uses custom handlers to set up a SOCKS proxy, create a web server on the compromised system, and execute commands on the compromised system.”
It added that samples 7 and 8 were designed to work in virtualized environments, using a virtual socket (VSOCK) interface to enable inter-VM communication, facilitate data exfiltration, and maintain persistence. Most samples used Exclusive OR (XOR) cipher encryption to hide key strings, such as the Internet Protocol version 4 (IPv4) addresses of public DoH servers, within their code.
Upon execution, Brickstorm runs checks and can reinstall and restart itself to maintain persistence. Brickstorm initiates a function to configure environment variables specific to the compromised environment, enabling it to operate effectively. Following this, Brickstorm identifies if it is already in its intended state and proceeds to continue running, copy itself for execution, or terminate.
Brickstorm uses an environment variable check to determine whether it is running in its intended state. Each sample looks for a specific environment variable to assess whether it is executing as a child process. If the variable is set, indicating child process execution, Brickstorm proceeds with normal code execution. If the variable is not set, the malware checks its execution context by attempting to load file contents from predefined paths.
The advisory mentioned that Brickstorm also performs file path validation and self-copying to establish persistence. When the malware confirms it is running from a validated path, it copies itself to a designated location using a specific file name. The parent Brickstorm process then modifies the PATH environment variable by appending the copied file’s directory, ensuring the new instance is executed first if commands or processes attempt to run VMware vSphere. The parent process subsequently launches the copied Brickstorm instance with the required environment variable set in the child process context and then terminates itself. If Brickstorm determines it is not running from a validated path, it immediately exits.
To ensure its continued operations, Brickstorm uses built-in self-monitoring and persistence capabilities while running. Specifically, it has a built-in self-watching function to maintain persistence. The function monitors if Brickstorm is running correctly and, if not, Brickstorm reinstalls and executes itself, mirroring its initiation capabilities. The self-watching function begins by checking a specific environment variable to confirm whether Brickstorm is running as an active process. If the check returns a false value (indicating the variable is not set), Brickstorm assumes it is not running properly. In response, Brickstorm re-installs itself from the predefined file path to a new location.
Brickstorm then updates the PATH environment variable to include the new file location, ensuring the newly copied backdoor file is executed first. Subsequently, the parent instance terminates its own execution, allowing the new process to take over. If the initial checks confirm that Brickstorm is running as intended (the variable is set), the self-watcher function allows the code to continue its operations.
After completing its initialization checks, Brickstorm connects to a command-and-control server, secures its communications, and grants threat actors full control of the compromised system. This access includes file system manipulation and interactive shell capabilities. Most samples also deploy a SOCKS proxy to support tunneling and lateral movement. The exact implementation of these functions varies by sample.
For U.S. organizations, if BRICKSTORM, similar malware, or potentially related activity is detected, CISA and the National Security Agency urge reporting in accordance with applicable laws and policies.
To allow CISA to provide tailored incident response support and develop a comprehensive understanding of the activity, organizations should immediately report findings through CISA’s 24/7 Operations Center at [email protected], by calling 1-844-Say-CISA, or via CISA’s Incident Reporting System, clearly noting that the activity is related to BRICKSTORM so that CISA can follow up with next steps. Organizations are also encouraged to submit a file containing the malicious code using CISA’s Malware Analysis Submission Form and to include the CISA-provided incident ID number, obtained during initial reporting, in the Open Incident ID field.
Canadian organizations are advised to report incidents by emailing the Canadian Centre for Cyber Security at [email protected] or by submitting details online through the Cyber Centre’s ‘Report a Cyber Incident’ reporting tool.
The advisory called upon organizations to implement a set of mitigations to strengthen their cybersecurity posture in response to the observed threat activity. These measures align with the cross-sector Cybersecurity Performance Goals 2.0 developed by CISA and the National Institute of Standards and Technology (NIST), which define a minimum baseline of practices and protections that all organizations are encouraged to adopt. The goals draw on established cybersecurity frameworks and guidance to address the most common and impactful threats, tactics, techniques, and procedures.
Specifically, organizations are advised to upgrade VMware vSphere servers to the latest versions and harden vSphere environments by following VMware’s published guidance, including recommendations related to logging and system hardening. Asset owners should maintain a comprehensive inventory of all network edge devices and closely monitor these systems for suspicious outbound connectivity. Proper network segmentation should be enforced to restrict traffic between the demilitarized zone and internal networks, and remote desktop protocol and SMB access from the DMZ to internal systems should be disabled.
The agencies also recommend applying the principle of least privilege by limiting service account permissions to only what is strictly required and increasing monitoring of service accounts, which often hold elevated privileges and exhibit predictable behavior patterns. In addition, organizations should block unauthorized DNS over HTTPS providers and external DoH traffic to reduce the risk of unmonitored or covert communications.
