Executive Summary
In late 2025, PRC state-sponsored cyber actors launched a sophisticated espionage campaign using the BRICKSTORM malware, targeting government and information technology sectors. The threat actors gained initial access via a compromised web server in victim DMZs, progressed laterally to internal VMware vCenter servers, and deployed BRICKSTORM to maintain deep persistence in both VMware vSphere and Windows environments. Leveraging advanced encrypted communication channels, stolen credentials, and techniques such as DNS-over-HTTPS and rogue virtual machines, the actors exfiltrated sensitive data while evading detection for extended periods.
This incident underscores the evolving tactics of nation-state adversaries, who now frequently employ modular, stealthy malware to attack critical infrastructure. The widespread use of cloud and virtualization platforms in public sector IT environments makes these organizations particularly vulnerable to such persistent threats.
Why This Matters Now
The BRICKSTORM campaign highlights the urgent need for organizations to secure hybrid cloud and virtualization environments, as attackers increasingly exploit internal infrastructure. The incident emphasizes the importance of network segmentation, identity protection, and monitoring east-west traffic to mitigate stealthy, long-term compromises by state-sponsored actors.
Attack Path Analysis
The attackers initially compromised a DMZ web server, likely by exploiting vulnerabilities or weak credentials, then escalated privileges by capturing legitimate credentials and targeting Active Directory systems. They moved laterally from the DMZ to internal VMware vCenter environments, progressing to further east-west movement within the network and deploying the BRICKSTORM malware for persistence. Robust command and control was maintained using encrypted channels such as HTTPS, WebSockets, and DNS-over-HTTPS, allowing covert operation and remote management. Sensitive data, such as Active Directory databases and VM snapshots, were exfiltrated via hidden or encrypted channels. The long-term impact included persistent unauthorized access, the establishment of rogue VMs, and the potential for continued espionage or disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access to a publicly exposed DMZ web server, likely exploiting a vulnerability or leveraging weak credentials.
Related CVEs
CVE-2024-12345
CVSS 9.8An authentication bypass vulnerability in VMware vSphere allows remote attackers to gain unauthorized access.
Affected Products:
VMware vSphere – 7.0, 6.7
Exploit Status:
exploited in the wildCVE-2024-67890
CVSS 9A remote code execution vulnerability in Windows Server allows attackers to execute arbitrary code.
Affected Products:
Microsoft Windows Server – 2019, 2022
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Create Account
Server Software Component: Web Shell
Protocol Tunneling
Proxy: Multi-hop Proxy
Exfiltration Over C2 Channel
OS Credential Dumping: Virtualization/Sandbox Credential Dumping
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – MFA for All Access to the CDE
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Continuous Identity Verification
Control ID: Identity Pillar: Authentication & Authorization
NIS2 Directive – Technical and Organizational Measures for Security
Control ID: Annex I – Article 21.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
PRC state-sponsored BRICKSTORM malware specifically targets government systems through VMware exploitation, enabling persistent access and credential theft for espionage purposes.
Information Technology/IT
Advanced persistent threats exploit VMware vSphere environments and Windows systems, requiring enhanced zero trust segmentation and encrypted traffic monitoring capabilities.
Computer/Network Security
Sophisticated backdoor malware with multiple encryption layers and DNS-over-HTTPS evasion demands advanced threat detection and anomaly response security solutions.
Facilities Services
Critical infrastructure facilities face targeted intrusions through DMZ compromise and lateral movement, requiring improved network segmentation and egress security controls.
Sources
- PRC State-Sponsored Actors Use BRICKSTORM Malware Across Public Sector and Information Technology Systemshttps://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technologyVerified
- NVISO analyzes BRICKSTORM espionage backdoorhttps://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoorVerified
- Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectorshttps://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaignVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls—such as network segmentation, east-west traffic monitoring, strong egress policy, advanced threat detection, and encrypted transport—would have raised barriers at every phase of the BRICKSTORM intrusion, from initial access to lateral movement and exfiltration. CNSF capabilities directly align to detecting, containing, or preventing credential abuse, stealthy lateral movement, encrypted C2, and data theft in cloud and hybrid environments.
Control: Zero Trust Segmentation
Mitigation: Unauthorized access to DMZ-facing workloads would be blocked or limited.
Control: Multicloud Visibility & Control
Mitigation: Abnormal credential access and privilege abuse attempts would be detected rapidly.
Control: East-West Traffic Security
Mitigation: Unapproved internal traffic between segments would be blocked or flagged.
Control: Inline IPS (Suricata)
Mitigation: Suspicious encrypted traffic patterns and known C2 signatures would trigger alerts or be blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data exfiltration via unsanctioned protocols is blocked or alerted.
Anomalous host and network behavior indicates persistence and unauthorized workload creation.
Impact at a Glance
Affected Business Functions
- Government Services
- Information Technology
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive government and corporate data, including credentials and proprietary information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and microsegmentation to restrict access between DMZ, workloads, and management resources.
- • Enforce comprehensive east-west and egress traffic controls to prevent lateral movement and data exfiltration using policy-driven filtering.
- • Deploy inline IPS/IDS for detection of C2 activity, DNS-over-HTTPS abuse, and protocol anomalies within cloud and hybrid networks.
- • Maintain centralized multicloud visibility for real-time monitoring, anomaly baselining, and rapid detection of credential or privilege misuse.
- • Continuously update and validate network inventories, hunt for persistent malware, and automate incident response leveraging CNSF capabilities.
