The Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA) and Canadian Centre for Cyber Security (Cyber Centre), has released updated indicators of compromise (IOCs) and detection signatures for BRICKSTORM malware. <\/p>\n
The latest update, published on December 19, 2025, includes an analysis of three additional malware samples, bringing the total to 11 analyzed variants.<\/p>\n
BRICKSTORM is a sophisticated backdoor malware<\/a> attributed to People\u2019s Republic of China (PRC) state-sponsored cyber actors, who have been using it to maintain long-term persistence on compromised systems. <\/p>\n The malware primarily targets organizations in the\u00a0Government Services and Facilities\u00a0and\u00a0Information Technology sectors, with particular focus on VMware vSphere environments, including VMware vCenter servers and VMware ESXi platforms.<\/p>\n The malware represents a significant threat due to its advanced capabilities. BRICKSTORM is custom-built using\u00a0Go or Rust programming languages\u00a0and operates as an Executable and Linkable Format (ELF) backdoor. <\/p>\n The eight samples initially analyzed were Go-based, while two of the three newly added samples in the December 19 update are Rust-based, demonstrating the threat actors\u2019 evolving techniques.<\/p>\n According to the CISA joint advisory<\/a>, BRICKSTORM provides cyber actors with comprehensive system control. <\/p>\n The malware uses\u00a0multiple layers of encryption, including HTTPS, WebSockets, and nested Transport Layer Security (TLS), to conceal communications with command-and-control servers. <\/p>\n It also employs DNS-over-HTTPS (DoH) and mimics legitimate web server functionality to blend malicious traffic with regular network activity.<\/p>\n CISA conducted an incident response engagement for one victim organization in which PRC actors gained persistent access to the internal network in April 2024. The attackers uploaded BRICKSTORM to an internal VMware vCenter<\/a> server. <\/p>\n They compromised two domain controllers and an Active Directory Federation Services (ADFS) server, successfully exporting cryptographic keys. The malware provided\u00a0persistent access from at least April 2024 through September 2025.<\/p>\n Once deployed, BRICKSTORM grants threat actors interactive shell access, allowing them to browse, upload, download, create, delete, and manipulate files on compromised systems. <\/p>\n Some variants also function as\u00a0SOCKS proxies, facilitating lateral movement across networks and enabling compromise of additional systems.<\/p>\n CISA, NSA, and Cyber Centre strongly urge organizations to utilize the released IOCs and detection signatures, including YARA <\/a>and Sigma rules, to identify BRICKSTORM samples within their environments. <\/p>\n If BRICKSTORM or related activity is detected, organizations should immediately report incidents to CISA, Cyber Centre, or appropriate authorities.<\/p>\n The agencies have made downloadable copies of IOCs available in STIX format, along with Sigma detection rules in YAML format. Organizations can access these resources through CISA\u2019s official website to enhance their defensive capabilities against this persistent threat.<\/p>\n This advisory underscores the ongoing sophistication of state-sponsored cyber operations and the critical need for organizations, particularly those in government and critical infrastructure sectors, to implement robust detection and response capabilities.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post CISA Releases New Indicators of Compromise Tied to BRICKSTORM Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"PRC](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/12\/image-33.png?resize=870%2C429&ssl=1\")
![\"BRICKSTORM](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/12\/image-32.png?resize=994%2C706&ssl=1\")