BRICKSTORM Malware Targets Virtualization, CISA Threat Warning and Hardening Checklist for VMware

In late December, CISA warned that threat activity tied to BRICKSTORM is continuing—and that newer samples show improved stealth and command-and-control (including Rust-based variants and encrypted WebSocket communications).

From an InfoSight perspective, this story matters because BRICKSTORM is a reminder that many organizations still defend endpoints well, while leaving the control layers (identity + virtualization + edge systems) under-monitored. That’s exactly where sophisticated actors want to live.

BRICKSTORM in plain English

BRICKSTORM is a backdoor used to keep long-term access inside a victim environment. The public-sector and IT sectors have been a major focus in observed activity. 

What makes it different from “typical malware”:

It targets systems many teams don’t watch closely (e.g., VMware vCenter / ESXi, the tooling that runs and manages virtual machines). 

It’s designed to stay alive. If it gets interrupted, a built-in “self-watcher” can reinstall/restart it. 

It hides its communications inside normal-looking traffic using multiple encryption layers (HTTPS → WebSockets → nested TLS) and DNS-over-HTTPS (DoH) via common public resolvers. 

Some variants can act like a SOCKS proxy, effectively turning one compromised system into a pivot point for lateral movement.

What the attack can look like in the real world

One CISA-documented incident chain (simplified):

Attackers accessed a DMZ web server via a web shell. 

They moved laterally using RDP and stole the Active Directory database (ntds.dit) to harvest credentials. 

They obtained managed service provider (MSP) credentials and used those to reach VMware vCenter. 

They dropped BRICKSTORM and modified boot-related/init behavior so it would run persistently. 

Access persisted from April 2024 through at least September 3, 2025.

That timeline is the point: this is about quiet persistence, not noisy smash-and-grab.

Why defenders keep missing this class of threat

Security programs often assume: “If EDR is clean, we’re fine.”

BRICKSTORM’s playbook challenges that assumption because it’s comfortable living in:

Virtualization management (your “control tower” for servers)

Identity infrastructure (service accounts, federation services)

Edge/DMZ systems (where initial access and web shells often appear) 

CISA’s update also matters because it reflects ongoing evolution—including additional samples and detection guidance updates as recently as Dec. 19, 2025.

What to do now: a practical checklist

1) Treat vCenter / ESXi like “Tier 0” infrastructure

Isolate management interfaces from general user networks.

Minimize who can administer vCenter.

Require strong authentication for admin paths (especially MSP access).

2) Hunt where BRICKSTORM actually lives

Look for suspicious persistence mechanisms and unexpected binaries in typical paths.

Use the published IOCs and YARA/Sigma detection guidance to scan relevant hosts and images. 

3) Monitor “normal-looking” encrypted traffic differently

Pay attention to unusual DoH usage and long-lived WebSocket sessions originating from infrastructure that shouldn’t behave like a browser.

4) Assume credential theft is part of the package

Audit service accounts, privileged groups, and federation components.

Look for evidence of AD database access and credential dumping paths.

5) Operationalize incident readiness

Have a defined escalation path when signs appear; CISA/partners explicitly urge prompt reporting and response actions in the report guidance. 

InfoSight perspective: the program gap BRICKSTORM exploits

BRICKSTORM succeeds when organizations have a “tool stack” but lack an operational program that continuously validates:

what’s exposed at the edge,

who has privileged identity paths,

what’s happening in virtualization control planes,

and whether telemetry actually covers the systems that matter most.

That’s the difference between occasional security and continuous security operations—the only model that reliably catches long-dwell threats like this.

Source