PRC State Actors Deploy BRICKSTORM Backdoor Against VMware Virtualization Environments
December 10th, 2025
High
Our Cyber Threat Intelligence Unit is monitoring an active campaign attributed to People’s Republic of China (PRC) state-sponsored actors leveraging a custom Go-based backdoor known as BRICKSTORM. According to CISA, NSA, and the Canadian Cyber Centre, the malware is being deployed across government and information-technology service environments, with a focus on compromising VMware vCenter, ESXi, and Windows hosts. BRICKSTORM provides long-term persistence, credential theft, virtual machine manipulation, and covert command-and-control operations, allowing threat actors to operate deeply within targeted infrastructures without detection. The campaign indicates a strategic effort to exploit virtualization platforms that usually fall outside standard endpoint monitoring.
Technical Details
Attack Type: Stealthy backdoor / remote access trojan (RAT) targeting virtualization management systems.
Severity: High.
Malware Characteristics: BRICKSTORM is engineered for durability, stealth, and operational flexibility:
Blends malicious traffic with legitimate HTTPS and WebSocket activity.
Uses DNS-over-HTTPS (DoH) to resolve command-and-control (C2) servers via Cloudflare, Google, Quad9, and NextDNS.
Supports SOCKS proxying, full file-system manipulation, and arbitrary command execution.
Implements smux/Yamux multiplexing to maintain multiple parallel, encrypted C2 channels.
Masquerades as VMware-like binaries (e.g., vmware-sphere, vnetd, vami) and can serve HTML, CSS, and JS files to blend with normal appliance behavior.
Persistence Mechanisms:
Modification of VMware initialization scripts (e.g., /etc/sysconfig/) to enforce startup execution.
Self-watching processes to automatically restart or reinstall components.
PATH hijacking and self-copying for execution precedence.
Alteration of appliance startup behavior and the creation of hidden or rogue VMs to maintain covert access.
Access & Privilege Escalation Activities:
Use of web shells to compromise DMZ web servers.
Lateral movement via RDP using valid service account credentials.
Collection of NTDS.dit from domain controllers.
Use of compromised MSP credentials to access VMware vCenter.
Cloning VM snapshots for credential harvesting.
Compromise of domain controllers and ADFS, including export of cryptographic keys (per CISA AR25-338A).
Manipulation of virtual machines, including deployment of rogue appliances and VM-level tampering.
Command & Control:
DoH lookups for C2 discovery.
Encrypted WebSocket-based C2 channels upgraded from HTTPS.
Authentication via hard-coded cryptographic keys.
Multiplexed communications over smux/Yamux for resilient, covert operations.
Post-Exploitation Capabilities:
Full shell access for arbitrary execution.
File upload, download, deletion, slicing, and checksum operations.
Data exfiltration over the primary C2 channel.
SOCKS-based lateral tunneling to pivot across internal networks.
Impact
Persistent Unauthorized Access: Long-term, covert access to key virtualization and identity systems.
Privilege Escalation & Credential Compromise: Ability to clone VM snapshots, harvest credentials, and escalate to domain controllers or identity services such as ADFS.
Operational & Confidentiality Risk: Exposure of sensitive VM snapshots, backups, and system configurations; ability to stage additional tooling or malware in virtualized environments.
Infrastructure Manipulation: Creation of hidden or rogue VMs, tampering with hypervisors, and unauthorized modification of critical virtualization components.
Lateral Movement: Compromise of vCenter/ESXi facilitates rapid, stealthy propagation across large segments of the network.
Detection Method
Organizations should conduct targeted hunts across virtualization hosts, management appliances, identity systems, and network telemetry. Key detection areas include:
VMware / Virtualization Monitoring:
Unexpected logins or administrative actions in vCenter/ESXi.
Unusual or unauthorized VM creation, cloning, or snapshots (especially hidden VMs).
Alteration of startup scripts, service binaries, or management service behavior.
Endpoint & Server Indicators:
Unknown or suspicious ELF/Go binaries on ESXi or vCenter appliances.
External-facing network connections from hosts that typically should not initiate outbound traffic.
Identity & Directory Services:
Evidence of ADFS tampering, cryptographic key export, or unauthorized domain controller access.
DC access originating from virtualization appliances.
Network & Telemetry:
Low-volume, persistent HTTPS/WebSocket traffic from vCenter/ESXi systems.
Tunneling patterns consistent with SOCKS proxying or lateral pivoting.
Indicators of Compromise
IOC Type | Value |
Filename | vmsrc |
SHA256 | aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38 |
Filename | vnetd |
SHA256 | 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf |
Filename | if-up |
SHA256 | 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d |
Filename | viocli |
SHA256 | b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a |
Filename | vts |
SHA256 | 22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b |
Filename | vmckd |
SHA256 | f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506 |
SHA256 | 39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46 |
SHA256 | 73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5 |
IOC Type | Value |
Hash | 40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042 |
Hash | 88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed |
Hash | 9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806 |
Hash | 40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557 |
Hash | b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d |
Hash | aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 |
Hash | 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df |
Hash | 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 |
IP | 208.83.233[.]14 |
IP | 149.28.120[.]31 |
Recommendations
Patch & Harden: Immediately update and harden all vCenter and ESXi appliances; review for unauthorized services or modified system files.
Rotate Privileged Credentials: Reset vCenter SSO accounts, ESXi root credentials, SSH keys, API tokens, and MSP-linked accounts.
Audit Persistence: Inspect virtualization hosts for unexpected binaries, modified init scripts, or newly created system services.
Restrict Management Access: Limit access to management networks and enforce strict firewall rules; block unnecessary outbound internet routes.
Enable Comprehensive Logging: Forward all vCenter, ESXi, DNS-over-HTTPS, and WebSocket-related telemetry to a SIEM.
Implement Integrity Monitoring: Deploy file integrity and behavioral monitoring on hypervisors and virtualization appliances.
Perform Full Incident Response: If indicators appear, rebuild compromised appliances, validate identity infrastructure integrity, and review for rogue VMs or snapshot cloning.
Conclusion
BRICKSTORM is a high-severity, virtualization-focused backdoor providing PRC-linked actors with deep, persistent, and stealthy access to government and IT environments. Its combination of web-shell initial access, credential theft, VM snapshot cloning, identity compromise, and encrypted, multiplexed C2 channels makes detection difficult and extends dwell times. Given the sophistication of the malware and active campaign reporting from CISA and partners, we urge organizations to deploy the published IoCs immediately, harden virtualization management systems, and implement continuous monitoring across hypervisors, identity services, and management networks.