U.S. and Canadian cybersecurity officials have issued a joint warning about a sophisticated strain of malware used by Chinese state-sponsored hackers to infiltrate government and technology networks and maintain long-term, covert access.
The advisory, released Thursday by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Canadian Centre for Cyber Security, detailed BRICKSTORM, a stealthy backdoor malware identified through eight samples taken from victim organizations.
CISA officials did not confirm whether U.S. federal agencies were among those affected, but the advisory said the malware is being used to target government and information technology sectors.
Cybersecurity firm CrowdStrike published its own report the same day, stating the attackers likely used their access in one compromised network to conduct reconnaissance on an Asia Pacific government entity.
CISA Executive Assistant Director for Cybersecurity Nick Andersen described BRICKSTORM as “a sophisticated and stealthy backdoor malware linked to PRC state-sponsored cyber actors.”
The advisory outlined indicators of compromise and detection methods organizations can use. U.S. officials said the malware is designed to establish long-term persistence inside victim systems.
The hackers primarily focus on VMware vSphere and Windows environments. After gaining entry, they steal credentials and deploy hidden virtual machines to retain access.
CISA said that during one incident response in April 2024, Chinese hackers maintained long-term access to a victim organization’s internal network and uploaded BRICKSTORM malware to an internal VMware vCenter server. They also accessed domain controllers and an Active Directory Federation Services server, eventually exporting cryptographic keys.
Although the malware samples varied, all allowed stealthy persistence. BRICKSTORM includes a “self-watching” feature that reinstalls or restarts the malware if disrupted.
The malware also enables attackers to browse, upload, download, and modify files, and in some cases supports lateral movement to compromise additional systems.
CISA Acting Director Madhu Gottumukkala said the advisory highlights “the grave threats posed by the People’s Republic of China” and warned that state-sponsored actors are embedding themselves in networks for long-term access and potential disruption.
CrowdStrike reported multiple intrusions targeting U.S. VMware vCenter environments throughout 2025, with at least one case showing attacker access dating back to 2023. The firm said it observed hackers preparing data for exfiltration “on numerous occasions.”
According to CrowdStrike, the BRICKSTORM campaign mainly targets North American entities and maintains persistent, covert access to support intelligence collection aligned with China’s strategic interests.
Cybersecurity company Mandiant reported in September that it has responded to numerous BRICKSTORM intrusions since March 2025 involving law firms, SaaS providers and tech companies. The goal of the campaign, Mandiant said, is the theft of intellectual property and sensitive data, especially email inboxes of senior leaders.
Mandiant attributed the campaign to a threat group previously linked to exploiting vulnerabilities in Ivanti firewall products, noting that the hackers also abused Microsoft tools to access mailboxes containing information aligned with China’s economic and espionage interests.
Edgardo Hernal started college at UP Diliman and received his BA in Economics from San Sebastian College, Manila, and Masters in Information Systems Management from Keller Graduate School of Management of DeVry University in Oak Brook, IL. He has 25 years of copy editing and management experience at Thomson West, a subsidiary of Thomson Reuters.
- EDGARDO HERNAL
- EDGARDO HERNAL
- EDGARDO HERNAL
- EDGARDO HERNAL
