Overview
- CISA, the NSA, and Canada’s Cyber Centre released a technical analysis and indicators of compromise for Brickstorm based on eight samples recovered from victim networks.
- Brickstorm targets VMware vSphere/vCenter to create hidden rogue virtual machines and steal cloned VM snapshots for credential theft while using HTTPS, WebSockets, nested TLS, a SOCKS proxy, and DNS‑over‑HTTPS with self‑reinstating persistence.
- Officials detailed a case in which access began in April 2024 and persisted through September 2025, while Google Threat Intelligence Group reported an average dwell time of 393 days affecting dozens of U.S. organizations.
- Researchers say the operators focus on government, IT, and legal sectors by compromising edge appliances, SaaS providers, and managed service providers to reach downstream targets, which makes detection difficult.
- CrowdStrike attributed the activity to Warp Panda and observed additional Golang implants named Junction and GuestConduit in VMware ESXi environments, with theft of configuration data, identity metadata, documents, and emails reported.