On December 5th, 2025 the US’s Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canada’s Cyber Security Centre released a joint malware report on BRICKSTORM, a backdoor targeting VMware vSphere and Windows environments. The suspected threat actor(s), tracked as UNC5221 by Mandiant and WARP PANDA by CrowdStrike, are identified as Chinese-nexus actors. Successful deployment of BRICKSTORM has led to long-term persistent access and data exfiltration by the threat actor. Hurricane Labs has three detections that match activity relating to BRICKSTORM and threat actors that use the backdoor.

Threat actors seen using the BRICKSTORM backdoor often gain initial access to systems by exploiting vulnerabilities in public-facing systems, such as vulnerabilities in Ivanti Gateways (CVE-2023-46805 & CVE-2024-21887). Once on the system, threat actors use BRICKSTORM for persistent remote access to compromised systems.

The BRICKSTORM backdoor, first reported by Mandiant in the spring of 2024, enables persistent access for threat actors. Attackers mainly target VMware vSphere environments, though a Windows variant of the backdoor was identified. BRICKSTORM is an adaptable piece of malware, maintaining itself by “using a self-watching function and automatically reinstalls or restarts if disrupted”. The backdoor has command-and-control (C2) capabilities, using multiple layers of encryption and evading detection by mimicking legitimate network traffic; BRICKSTORM provides operators an interactive shell on an infected system.

In their report, CrowdStrike also identified two additional implants used by the threat actor they track as WARP PANDA. The first, named Junction, acts as an HTTP server and was observed “executing commands, proxying network traffic, and communicating with guest VMs through VM sockets”. The second, GuestConduit, is meant for network traffic tunneling, and “likely is intended to work with Junction’s tunnelling commands”. CrowdStrike also reported the longest dwell time for a threat actor using BRICKSTORM, from late 2023 to the summer of 2025 (at least 18 months).

Hurricane Labs recommends administrators follow a regular patching schedule, and have established procedures for emergency patches for public-facing systems. We also recommend creating and/or maintaining an asset inventory, including virtual systems, for ease in detecting rogue virtual machines. We also recommend monitoring for unusual access to vCenter or virtual machines, especially over SSH.

We have written the following detections for activity related to BRICKSTORM or the threat actors who utilize it:

• HDSI VMWare ESXi Suspicious Command Execution – The search looks for suspicious esxcli commands being run
• HDSI IDS Detected DNS-over-HTTP – This detection looks in the Intrusion Detection datamodel for signs of DNS-over-HTTP traffic
• HDSI BRICKSTEAL Vcenter VM Clone – Detects suspicious VM cloning and deletion activity in vCenter that may indicate BRICKSTEAL attack patterns

Hurricane Labs has proactively deployed and opened tickets with managed SOC clients who have applicable logs.

Hurricane Labs recommends administrators follow a regular patching schedule, and have established procedures for emergency patches for public-facing systems. We also recommend creating and/or maintaining an asset inventory, including virtual systems, for ease in detecting rogue virtual machines. We also recommend monitoring for unusual access to vCenter or virtual machines, especially over SSH.

• https://www.cisa.gov/news-events/analysis-reports/ar25-338a
• https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
• https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/