Overview
- Cybersecurity agencies from the U.S. and Canada released a joint malware analysis of eight BRICKSTORM samples along with YARA and Sigma signatures, indicators of compromise, and guidance to scan and report findings.
- Investigators say the Golang backdoor focuses on VMware vSphere and Windows, enabling hidden virtual machines, VM snapshot theft for credential harvesting, VSOCK communications, DNS-over-HTTPS, a SOCKS proxy, and a self-reinstallation persistence mechanism.
- In one response case, attackers maintained access from April 2024 through at least September 3, 2025, moving from a DMZ web server to vCenter, compromising domain controllers and an ADFS server, and exporting cryptographic keys.
- CrowdStrike attributes related intrusions to a China-nexus group it calls Warp Panda and reports additional Golang implants (Junction and GuestConduit) in ESXi and guest VMs, plus cloud-focused activity including Microsoft 365 access via session replay and MFA persistence tactics.
- Officials and researchers cite government, IT, legal, technology, manufacturing, SaaS providers, and business process outsourcers as affected or targeted sectors, note likely compromises via internet-facing edge devices, and caution that the total scope and some initial access methods remain unknown.