Google security researchers in September reported about China-linked hackers using a backdoor called Brickstorm to quietly gain access into networks and systems of U.S. companies in such sectors as the law, software-as-a-service (SaaS), business process outsourcing, and technology.

The researchers from Google Threat Intelligence Group and Mandiant said the bad actors in some instances spent more than a year inside these organizations running operations ranging from espionage to IP theft to developing new zero-day vulnerabilities.

Security agencies from the United States and Canada this week built on what researchers from Google and other vendors have found, detailing the sophisticated Brickstorm malware and the use by attackers they say are sponsored by the People’s Republic of China (PRC) to ensure persistence in compromised systems.

The threat groups primarily are targeting government agencies and services and IT companies, using the backdoor to hack into VMware vCenter servers and VMware ESXi instances as well as Microsoft Windows environments.

“Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs,” according to a report from the U.S. National Security Agency, CISA, and Canadian Centre for Cyber Security, noting CISA’s work analyzing eight Brickstorm samples from victim organizations.

“The analyzed samples differ in function, but all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2),” the agencies wrote. “Even though the analyzed samples were for VMware vSphere environments, there is reporting about Windows versions.”

Persistence of Chinese Threat Groups

CISA and other U.S. agencies for several years have been uncovering covert cyber operations run by various PRC-back threat groups aimed at establishing persistence, accessing and stealing data, and potentially disrupting operations in government and critical infrastructure systems. For example, a Chinese group called Volt Typhoon early last year was detected hiding in the computers and networks of U.S. critical infrastructure entities, essentially lying in wait to disrupt operations if conflicts erupt between the United States and China.

Later in year, another group, Salt Typhoon, was found to have accessed the networks of major telecommunication companies in the United States and elsewhere in an espionage operation that had been underway for one or two years.

Brickstorm Bad Actors Following Suit

The nation-state groups using Brickstorm fall in line with what’s been seen over the past several years. The backdoor is written in the Golang programming language and runs checks to initiate infiltration into networks and ensures persistence through what the agencies said was a “self-watching” function that automatically reinstalls or restarts if the malware is disrupted. It uses a range of encryption – including HTTPs, WebSockets, and nested Transport Layer Security (TLS) – to keep its communications with the C2 server hidden. In addition, it uses DNS-over-HTTPS and apes web server actions to blend the communications with legitimate traffic.

The U.S. and Canadian agencies used a case in which CISA responded to outline how the groups operate. The bad actors accessed the victim’s web server April 11 through a web shell on it, the agencies wrote, though it’s unclear how they gained initial access. The same day, they moved laterally using service account credentials and Remote Desktop Protocol from the web server to the main domain controller and copied the Active Directory (AD) data. The next day, they did the same using credentials linked to a second service account.

Stolen Credentials

They used credentials for a MSP from the AD database to jump from the internal domain controller to the VMware vCenter server, and from the web server moved using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys. From vCenter, the cybercriminals elevated privileges, dropped Brickstorm into the server’s director and modified its init file to run the malware.

“Typically, this file is used to define certain visual variables for the bootup process,” the agencies wrote. “After the setting for visual variables, an additional line was added to the script to execute BRICKSTORM from the hard-coded file path.”

A spokesperson for the Chinese embassy in Washington D.C. told Reuters that the country’s government doesn’t “encourage, support or connive at cyber attacks,” adding that “we reject the relevant parties’ irresponsible assertion” about the country’s involvement.

Not ‘Just Another Malware Campaign’

“What’s especially alarming about this campaign is that it targets the virtualization layer itself – not the OS or applications – which historically receives less attention,” SOCRadar CISO Ensar Seker said. “Once the hypervisor or management console (vCenter) is compromised, attackers gain broad visibility over the virtual infrastructure and can bypass many traditional endpoint defenses … because these often don’t monitor hypervisor behavior or VM snapshot manipulation.”

This means organizations need to treat virtualization infrastructure as a critical attack surface, on part with public-facing apps or legacy enterprise systems, Seker said, adding that “this isn’t just another malware campaign. It’s a wake‑up call showing that adversaries are shifting upward in the stack, targeting the foundations of virtualization rather than individual VMs.”

Tracking Attacks

China-linked actors reportedly used Brickstorm in their year-plus hack of F5’s corporate networks, gaining access in late 2023 before being detected in August.

Also this week, CrowdStrike researchers wrote that they found multiple attacks targeting vCenter environments in U.S.-based organizations by a newly identified China-nexus group called Warp Panda. The group deployed Brickstorm, along with JavaServer Pages (JSP) web shells and two new ESXi implants, Junction and GuestConduit.

“WARP PANDA maintained long-term, persistent access to the compromised networks; in one of the intrusions, gaining initial access in late 2023,” the researchers wrote.

They saw the group preparing to exfiltrate data and “likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity,” they wrote. “They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository. Further, during at least one intrusion, the adversary specifically accessed email accounts of employees who work on topics that align with Chinese government interests.”