BRICKSTORM Breaks In: China’s Quiet Grip on US Virtual Stack

Summary

China-linked cyber operators are deploying BRICKSTORM, a sophisticated Go-based ELF backdoor engineered for stealth, persistence, and comprehensive system control across U.S. critical infrastructure. In 2025, the advanced persistent threat group WARP PANDA utilized BRICKSTORM malware during targeted intrusions against U.S. VMware vCenter environments spanning government, IT, legal, technology, and manufacturing sectors. The BRICKSTORM backdoor campaign, active since April 2024, demonstrates China’s escalating cyber espionage capabilities targeting virtual infrastructure. BRICKSTORM implants establish encrypted command-and-control channels that tunnel malicious traffic through vCenter servers, ESXi hosts, and guest virtual machines while masquerading as legitimate VMware processes. The backdoor maintains persistent access even after file deletion attempts and system reboots, representing a significant threat to U.S. virtualization infrastructure. WARP PANDA threat actors exploited multiple critical vulnerabilities including CVE-2024-21887, CVE-2023-46805, CVE-2024-38812, CVE-2023-46747, CVE-2023-34048, and CVE-2021-22005 to compromise VMware environments and deploy BRICKSTORM backdoor malware.

Attack Details

BRICKSTORM Backdoor Architecture and Capabilities

The People’s Republic of China deploys BRICKSTORM, a Go-based ELF backdoor designed to secure long-term covert access to targeted systems with exceptional persistence and stealth capabilities. BRICKSTORM malware operations begin with comprehensive integrity and environment checks, then anchor themselves using self-monitoring mechanisms that automatically reinstall or restart the backdoor if execution is interrupted. The malware configures environment variables to precisely match compromised host systems, enabling stable long-term operation within VMware vCenter environments.

Command-and-Control Infrastructure

Once active, BRICKSTORM backdoor establishes heavily encrypted communication links to command-and-control servers, implementing multiple encryption layers and utilizing DNS-over-HTTPS protocols to obscure malicious traffic patterns. The backdoor can mimic legitimate web server behavior patterns, effectively blending command-and-control communications into normal network activity within virtualization infrastructure. After establishing connections, WARP PANDA operators gain complete remote control capabilities including interactive shell access and comprehensive file browsing, manipulation, and transfer abilities. Certain BRICKSTORM variants function as SOCKS proxies, enabling traffic tunneling and lateral movement across internal enterprise systems.

WARP PANDA Targeting of VMware Infrastructure

In 2025, the China-nexus advanced persistent threat group WARP PANDA deployed BRICKSTORM backdoor during sophisticated intrusions targeting VMware vCenter environments at U.S. organizations across critical infrastructure sectors. WARP PANDA demonstrates advanced technical capabilities, strong operational security practices, and deep expertise in cloud computing and virtualization platforms. WARP PANDA operations typically begin by exploiting internet-facing edge devices, followed by pivoting into vCenter environments through stolen administrative credentials or exploiting VMware vCenter vulnerabilities.

Advanced Tradecraft and Evasion Techniques

WARP PANDA has systematically exploited multiple security flaws in edge appliances and vCenter systems to deploy BRICKSTORM malware. The threat group’s tradecraft includes clearing security logs, altering file timestamps for anti-forensics, and creating unregistered malicious virtual machines that remain powered down after completing malicious activities. WARP PANDA uses BRICKSTORM to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs, allowing malicious activity to blend seamlessly with legitimate VMware operations.

Persistence Mechanisms

BRICKSTORM implants disguise themselves as authentic vCenter processes using process masquerading techniques and retain persistence even after administrators attempt file removal or perform system reboots. The self-monitoring capabilities ensure continuous backdoor availability, making remediation challenging without comprehensive incident response procedures targeting VMware virtualization infrastructure.

Recommendations

Immediate Vulnerability Remediation

Organizations must prioritize patching known exploited vulnerabilities immediately, with special focus on internet-facing edge devices exploited by WARP PANDA. Address all critical CVEs highlighted in this BRICKSTORM advisory including CVE-2024-21887, CVE-2023-46805, CVE-2024-38812, CVE-2023-46747, CVE-2023-34048, and CVE-2021-22005. Upgrade unsupported edge devices and VMware infrastructure to vendor-supported models receiving regular security updates.

Virtual Infrastructure Hardening

Maintain all VMware vSphere, vCenter Server, and ESXi hosts with current security patches. Apply VMware security patches immediately upon release, remove unsupported VMware versions from production environments, and validate that all vCenter management interfaces implement hardened security configurations resistant to BRICKSTORM deployment.

Edge Device Security Controls

Establish and maintain authoritative inventories of every internet-facing and internal edge device vulnerable to WARP PANDA exploitation. Monitor edge devices continuously for configuration drift, unexpected services, and outbound traffic patterns deviating from established baselines that could indicate BRICKSTORM backdoor activity.

Access Control and Service Account Management

Limit service account permissions to minimum required operations within VMware environments. Audit service account usage patterns regularly, enforce multi-factor authentication where VMware systems support it, and configure alerts for interactive logins or privilege escalation events associated with service accounts that could indicate WARP PANDA compromise.

Network Segmentation and Traffic Control

Isolate ESXi management interfaces behind strict network segmentation and firewall rules preventing unauthorized access. Block outbound internet access from both ESXi hosts and vCenter systems to prevent BRICKSTORM command-and-control communications. Monitor and restrict usage of nonstandard or optional ports including port 8090 exploited in WARP PANDA campaigns.

Authentication and Access Validation

Conduct comprehensive audits of all remote access channels to VMware infrastructure. Remove dormant administrative accounts, rotate credentials exposed to compromised edge systems, and enforce strict authentication controls on systems managing virtual infrastructure to prevent WARP PANDA lateral movement and BRICKSTORM deployment.

Indicators of Compromise (IOCs)

IPv4 Addresses:

• 208[.]83[.]233[.]14
• 149[.]28[.]120[.]31

MD5 Hashes:

• 8e4c88d00b6eb46229a1ed7001451320
• 39111508bfde89ce6e0fe6abe0365552
• dbca28ad420408850a94d5c325183b28
• 0a4fa52803a389311a9ddc49b7b19138
• 82bf31e7d768e6d4d3bc7c8c8ef2b358
• 18f895e24fe1181bb559215ff9cf6ce3
• a52e36a70b5e0307cbcaa5fd7c97882c
• a02469742f7b0bc9a8ab5e26822b3fa8

SHA1 Hashes:

• 9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54
• f639d9404c03af86ce452db5c5e0c528b81dc0d7
• fb11c6caa4ea844942fe97f46d7eb42bc76911ab
• 97001baaa379bcd83677dca7bc5b8048fdfaaddc
• de28546ec356c566cd8bca205101a733e9a4a22d
• c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4
• 44a3d3f15ef75d9294345462e1b82272b0d11985
• 10d811029f6e5f58cd06143d6353d3b05bc06d0f

DNS-over-HTTPS URLs:

• hxxps[:]//1[.]0[.]0[.]1/dns-query
• hxxps[:]//1[.]1[.]1[.]1/dns-query
• hxxps[:]//8[.]8[.]4[.]4/dns-query
• hxxps[:]//8[.]8[.]8[.]8/dns-query
• hxxps[:]//9[.]9[.]9[.]9/dns-query

MITRE ATT&CK TTPs

TA0042 – Resource Development

• T1583: Acquire Infrastructure (Domains, VPS, Serverless)
• T1584: Compromise Infrastructure (Network Devices)
• T1588: Obtain Capabilities (Malware)
• T1608: Stage Capabilities (Install Digital Certificate)

TA0001 – Initial Access

• T1190: Exploit Public-Facing Application
• T1078: Valid Accounts (Cloud Accounts, Default Accounts)

TA0002 – Execution

• T1037: Boot or Logon Initialization Scripts
• T1574: Hijack Execution Flow

TA0003 – Persistence

• T1505: Server Software Component (Web Shell)
• T1098: Account Manipulation

TA0004 – Privilege Escalation

• T1548: Abuse Elevation Control Mechanism (Sudo and Sudo Caching)

TA0005 – Defense Evasion

• T1036: Masquerading
• T1070: Indicator Removal (File Deletion, Timestomp)
• T1564: Hide Artifacts (Run Virtual Instance)

TA0006 – Credential Access

• T1003: OS Credential Dumping (NTDS)
• T1550: Use Alternate Authentication Material

TA0007 – Discovery

• T1083: File and Directory Discovery

TA0008 – Lateral Movement

• T1021: Remote Services (SSH)

TA0009 – Collection

• T1114: Email Collection (Remote Email Collection)
• T1213: Data from Information Repositories (Sharepoint)
• T1530: Data from Cloud Storage
• T1560: Archive Collected Data

TA0010 – Exfiltration

• T1041: Exfiltration Over C2 Channel

TA0011 – Command and Control

• T1071: Application Layer Protocol (Web Protocols, DNS)
• T1090: Proxy (Internal Proxy, Multi-hop Proxy)
• T1095: Non-Application Layer Protocol
• T1105: Ingress Tool Transfer
• T1572: Protocol Tunneling
• T1573: Encrypted Channel (Asymmetric Cryptography)

References

https://www.cisa.gov/news-events/analysis-reports/ar25-338a https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/ https://hivepro.com/threat-advisory/brickstorm-malware-quietly-builds-the-perfect-hideout-in-us-networks/