The December 2025 CISA/NSA/Cyber Centre analysis of BRICKSTORM represents one of the clearest signals yet that hypervisors have become priority targets for state-backed cyber operations. The report attributes BRICKSTORM to PRC state-sponsored actors and documents a campaign focused not on endpoints or applications, but on the virtualization control plane itself—VMware vCenter, ESXi, and adjacent identity infrastructure.
What BRICKSTORM Is
BRICKSTORM is a custom, Go-based backdoor compiled for VMware vSphere environments, with parallel Windows variants observed. It is engineered to provide long-term, covert access to hypervisors and the systems that manage them. CISA’s analysis shows that BRICKSTORM:
- Embeds itself into the vSphere boot process, enabling persistent execution even after reboots.
- Uses DNS-over-HTTPS, HTTPS, WebSockets, and nested TLS to encrypt and hide command-and-control traffic.
- Provides operators with interactive shell access, file manipulation, and tunneling capabilities for stealthy lateral movement.
- Enables the theft of VM snapshots and the creation of rogue VMs—activities that directly compromise the integrity of the virtualization layer.
In one confirmed case, PRC operators maintained access for more than a year, quietly moving from a DMZ web server to Active Directory and eventually into vCenter, where BRICKSTORM was deployed for sustained control.
Why This Backdoor Matters
A foothold on vCenter or ESXi is categorically different from a compromised endpoint. It provides operators with visibility into, and potential control over, every workload running on the host. Domain controllers, databases, application servers, and even security tooling often run as VMs. A persistent backdoor at the hypervisor layer collapses the isolation defenders typically rely on.
BRICKSTORM demonstrates an operational understanding of this reality. The malware is purpose-built to blend into systems that traditionally have limited monitoring and virtually no endpoint detection support. That design choice reflects a shift in adversary priorities.
From Ransomware to Nation-State Hypervisor Operations
From 2021 through 2024, ESXi was primarily targeted by ransomware groups. Campaigns like ESXiArgs, LockBit’s ESXi encryptors, Babuk’s Linux variants, and notorious groups like Scattered Spider exploited unpatched hypervisors to encrypt entire VM inventories at once.
BRICKSTORM marks a strategic pivot.
Instead of leveraging the hypervisor for immediate disruption, nation-state actors are now using it for long-duration intelligence collection and infrastructure-level access.