Executive Summary
In December 2025, CISA, the NSA, and the Canadian Centre for Cyber Security released an updated malware analysis report on the BRICKSTORM backdoor. The update detailed new Rust-based variants featuring advanced persistence, evasive execution as background services, and robust command and control via encrypted WebSocket connections. Organizations were provided with new YARA detection signatures and IOCs to bolster defenses and urged to scan for, report, and contain potential infections. This surge in sophisticated malware highlights evolving attacker tactics aimed at stealthy, persistent network infiltration.
The growing adoption of advanced persistent threats such as BRICKSTORM underlines the critical need for proactive threat detection, zero trust segmentation, and cyber hygiene. Security teams must stay vigilant as attackers refine malware with encrypted communications and evasion strategies, while regulatory bodies continue to emphasize robust incident response.
Why This Matters Now
The release of BRICKSTORM detection updates demonstrates the urgent need to address emerging stealthy backdoors leveraging encrypted, cloud-native techniques. Organizations must act quickly to update controls, scan for new IOCs, and strengthen east-west visibility, as contemporary malware routinely bypasses legacy defenses — leaving environments vulnerable to stealthy intrusions, data exfiltration, and compliance risks.
Attack Path Analysis
The BRICKSTORM backdoor was introduced through an initial compromise, likely via exploitation of a vulnerable cloud workload or credential abuse. Attackers obtained further privileges to establish persistent access by running the malware as a background service. Lateral movement allowed expansion to internal workloads, assisted by stealthy east-west communication. Command and control was maintained over encrypted WebSocket channels to remotely manage the implant. Adversaries could exfiltrate data or receive instructions through these covert outbound connections. The overall impact included persistent foothold and potential for data breach, service disruption, or further malware deployment.
Kill Chain Progression
Initial Compromise
Description
Adversaries likely gained access by exploiting a vulnerable cloud workload, misconfigured service, or compromised credentials to deploy the BRICKSTORM malware.
Related CVEs
CVE-2023-46805
CVSS 9.8An authentication bypass vulnerability in Ivanti Connect Secure allows remote attackers to access restricted resources without proper authentication.
Affected Products:
Ivanti Connect Secure – < 9.1R12
Exploit Status:
exploited in the wildCVE-2024-21887
CVSS 9.8A command injection vulnerability in Ivanti Connect Secure allows authenticated remote attackers to execute arbitrary commands on the underlying operating system.
Affected Products:
Ivanti Connect Secure – < 9.1R12
Exploit Status:
exploited in the wildCVE-2023-34048
CVSS 9.8An out-of-bounds write vulnerability in VMware vCenter Server allows a malicious actor with network access to execute arbitrary code on the underlying operating system.
Affected Products:
VMware vCenter Server – < 7.0 U3j
Exploit Status:
exploited in the wildCVE-2023-46747
CVSS 9.8A remote code execution vulnerability in F5 BIG-IP allows unauthenticated attackers to execute arbitrary system commands.
Affected Products:
F5 BIG-IP – < 16.1.3.1
Exploit Status:
exploited in the wildCVE-2021-22005
CVSS 9.8An arbitrary file upload vulnerability in VMware vCenter Server allows a malicious actor with network access to execute code on the underlying operating system.
Affected Products:
VMware vCenter Server – < 6.7 U3o
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Process Injection
Registry Run Keys / Startup Folder
Service Execution
Web Protocols
Obfuscated Files or Information
Deobfuscate/Decode Files or Information
Fallback Channels
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Respond to Security Events
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Article 10
CISA Zero Trust Maturity Model 2.0 – Continuous Monitoring and Real-Time Response
Control ID: Detection and Response
NIS2 Directive – Incident Response and Management
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
CISA advisory on BRICKSTORM backdoor highlights critical risk to government infrastructure through encrypted command-and-control channels and advanced persistence mechanisms.
Financial Services
Rust-based BRICKSTORM samples threaten financial institutions through defense evasion, encrypted WebSocket connections, and potential compliance violations under PCI standards.
Information Technology/IT
IT sector faces elevated risk from BRICKSTORM's background service persistence and encrypted traffic capabilities requiring immediate YARA rule deployment.
Defense/Space
NSA involvement in BRICKSTORM analysis indicates significant national security implications for defense contractors through advanced backdoor infiltration techniques.
Sources
- CISA and Partners Release Update to Malware Analysis Report BRICKSTORM Backdoorhttps://www.cisa.gov/news-events/alerts/2025/12/19/cisa-and-partners-release-update-malware-analysis-report-brickstorm-backdoorVerified
- Chinese hackers are using 'stealthy and resilient' Brickstorm malware to target VMware servers and hide in networks for months at a timehttps://www.itpro.com/security/malware/chinese-hackers-are-using-stealthy-and-resilient-brickstorm-malware-to-target-vmware-servers-and-hide-in-networks-for-months-at-a-timeVerified
- Under the radar - Google warns new Brickstorm malware was stealing data from US firms for over a yearhttps://www.techradar.com/pro/security/under-the-radar-google-warns-new-brickstorm-malware-was-stealing-data-from-us-firms-for-over-a-yearVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust and CNSF-aligned controls such as east-west segmentation, encrypted traffic inspection, egress filtering, and multicloud visibility collectively restrict malware spread, detect malicious activity, and prevent covert command-and-control or data exfiltration operations. Applying these controls would compartmentalize attacker movement, reveal abnormal traffic, and enforce least privilege, greatly limiting the effectiveness of BRICKSTORM and similar threats.
Control: Zero Trust Segmentation
Mitigation: Initial access from unauthorized sources is blocked or contained.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual privilege escalation or persistent service is rapidly detected.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts are blocked or heavily restricted.
Control: Egress Security & Policy Enforcement
Mitigation: Malicious C2 traffic is detected or filtered even when encrypted.
Control: Cloud Firewall (ACF)
Mitigation: Unauthorized data egress and exfiltration attempts are blocked.
Central visibility enables rapid threat hunting and damage containment.
Impact at a Glance
Affected Business Functions
- IT Infrastructure
- Data Management
- Authentication Services
Estimated downtime: 393 days
Estimated loss: $5,000,000
Potential exposure of sensitive credentials, cryptographic keys, and confidential organizational data due to prolonged unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy zero trust segmentation to minimize workload and service exposure to adversaries.
- • Enable threat detection and anomaly response for immediate visibility into privilege escalation and persistence tactics.
- • Enforce robust east-west traffic controls to impede lateral movement between cloud workloads.
- • Apply strict egress security and inline inspection to prevent command-and-control and data exfiltration via covert channels.
- • Utilize centralized, multicloud visibility to ensure rapid detection, response, and isolation of suspicious or compromised cloud assets.
