The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of 11 BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples.

https://www.cisa.gov/news-events/analysis-reports/ar25-338a

All vSphere Environment

Cyber threat actors use Brickstorm malware within VMware installations after they have gained access to the customer’s environment.
CISA post
* PRC State-Sponsored Actors Use BRICKSTORM Malware Across Public Sector and Information Technology Systems | CISA
https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology

CRN post
* 5 Things To Know On VMware ‘Brickstorm’ Attacks
https://www.crn.com/news/security/2025/5-things-to-know-on-vmware-brickstorm-attacks

Canadian Centre for Cyber Security
* 5 Things To Know On VMware ‘Brickstorm’ Attacks
https://www.crn.com/news/security/2025/5-things-to-know-on-vmware-brickstorm-attacks

Crowdstrike post (All CVE related VMware vulnerabilities referenced in this blog were patched and disclosed by VMware in the respective years)
* Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary
https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/

CVE-2021-22005, maps to VMSA-2021-0020
vCenter Server 7.0 critical fix is 7.0 U2c (Workaround KB)
Other posts:
Mandiant Post
* Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors | Google Cloud Blog
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

Other important CVEs to consider:
CVE-2024-38812, CVE-2024-38813, CVE-2023-34048, CVE-2024-38812
(All have been patched with prior releases)

References:
https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/ransomware-resources/BRICKSTORM

We are aware of the BRICKSTORM Malware being propagated by UNC 5221, a China-Nexus actor.  We have seen prior attempts to deploy this malware on our customer’s deployments dating back to early 2024. This attack is not because of a vulnerability in VMware vCenter or ESXi.  The attacker uses direct credential compromise, or other means of targeting vSphere administrator credentials (e.g. phishing), to gain initial access to deploy the BRICKSTORM malware.

We recommend customers use our security hardening recommendations to harden their vSphere environment.

Conclusion and Immediate Actions:
All VMware CVE vulnerabilities associated with Brickstorm have been patched in previous versions of vCenter.

Junction is considered an ESX malware implant and should be handled according to our ransomware guidelines linked and detailed above in the references section.

Scan for IOCs - CISA provided YARA and Sigma rules in the malware analysis report
Check init files - Look for modifications to /etc/sysconfig/init on vCenter/ESXi
Monitor for:
Hidden/rogue VMs
VM snapshot theft
Unauthorized DoH traffic (Cloudflare/Google DNS-over-HTTPS)
Service account abuse
Network segmentation:
Disable RDP/SMB from DMZ to internal network
Restrict vCenter/ESXi outbound internet access
Block unauthorized DoH providers

Patch immediately - Especially CVE-2024-38812/38813

BrickStorm is what they install to maintain persistence after they're already in.  This is a post-exploitation tool, not the initial entry point. The real vulnerabilities are the unpatched CVEs and compromised edge devices. 

Verify all vCenter instances are patched to latest versions
Hunt for IOCs using CISA's detection signatures
Review service account permissions and monitoring
Segment network access from DMZ/edge devices