Overview
- CISA, NSA and Canada’s Cyber Centre released a joint analysis of eight BRICKSTORM samples with IOCs plus YARA and Sigma rules, urging immediate scanning and reporting of detections.
- Investigators say the Golang backdoor targets VMware vSphere/vCenter and Windows, creates covert virtual machines, clones VM snapshots, and uses HTTPS, WebSockets, nested TLS, DoH, SOCKS and VSOCK to evade detection and move laterally.
- In one case, attackers sustained access from April 2024 through at least Sept. 3, 2025 after pivoting from a DMZ web server to vCenter, copying Active Directory data and exfiltrating cryptographic keys from an ADFS server.
- CrowdStrike and Google Threat Intelligence link the activity to China-nexus groups Warp Panda and UNC5221, report average dwell times near 393 days, and detail additional Golang implants (Junction, GuestConduit) on ESXi and guest VMs.
- Officials highlight broader impacts on government, legal, IT, SaaS, BPO and technology entities, recommend patching edge and virtualization products, blocking unauthorized DoH, segmenting networks and inventorying appliances, while China’s embassy rejects the allegations.