BRICKSTORM is a state-backed backdoor built specifically to live inside your VMware vSphere and Windows estates for months or years, not days. The joint CISA / NSA / Canadian Cyber Centre reporting makes one thing very clear for leaders: if your virtualization layer falls, your whole environment is effectively owned.
What BRICKSTORM actually does
BRICKSTORM is a multi-platform backdoor targeting VMware vCenter, ESXi and Windows, with variants compiled for Linux vCenter servers, VMkernel and standard Windows hosts. Once running, it gives attackers interactive shell access, file management, SOCKS proxy tunneling and encrypted command and control using nested TLS, HTTPS, WebSockets and sometimes DNS-over-HTTPS.
The campaign CISA described involves PRC state-sponsored actors breaching internet-facing edge systems, then pivoting to vCenter using valid credentials or vCenter flaws, and finally deploying BRICKSTORM on vCenter and ESXi. From there they steal VM snapshots for credential extraction, clone domain controllers, create hidden rogue VMs and harvest Active Directory and ADFS keys to expand access and remain invisible.
Why vSphere backdoors are a CEO problem
The strategic insight here is that virtualization is not “just infra” anymore; it is the control plane for your business. A backdoor on vCenter means:
- Attackers see and touch every workload, including regulated data stores and crown-jewel apps.
- They can hide inside cloned or shut-down VMs, far away from your EDR visibility and normal host-based logging.
BRICKSTORM’s use of VSOCK for inter-VM communication and nested encrypted channels means much of its activity never crosses traditional network boundaries, which makes perimeter-only monitoring largely blind. For boards, that translates into long-term espionage risk: data exfiltration, crypto key theft, and the latent ability to pivot into sabotage if geopolitics shift.
What the campaign teaches security teams
There are a few concrete learnings security leaders can take from BRICKSTORM:
- Your MSP and service accounts are prime targets. In at least one case, attackers used compromised MSP credentials to reach vCenter and multi-tenant infrastructures.
- VM snapshots are not just backups; they are credential gold mines. Cloned DC or ADFS VMs gave attackers full directory databases and token signing keys.
- Clearing logs and timestomping on jump servers and ADFS boxes helped attackers maintain access for more than a year before detection.
This shows why treating virtualization as “out of scope” for regular testing is no longer acceptable. vSphere must sit in the same critical risk bucket as your identity provider and core database platforms.
How Cybitrock’s VAPT tackles BRICKSTORM-style threats
Cybitrock’s VAPT approach is designed around exactly these kinds of persistent, infrastructure-level campaigns:
- Network penetration testing to validate segmentation between edge, vCenter, management jump hosts and domain controllers, and to test how far an attacker can move with a single compromised web server or VPN appliance.
- Cloud and virtualization testing to review vSphere configuration, access paths, logging, VSOCK exposure and the use of service accounts and MSP connections, including tests that simulate snapshot theft and rogue VM creation.
- Web and mobile app testing to identify internet-facing apps and portals that could be the first foothold used to pivot into DMZ and management networks, as seen in the DMZ web-shell cases described by CISA.
- API penetration testing to examine management APIs (including vSphere, backup tools and orchestration platforms) that an attacker could abuse once they hold stolen tokens or keys from ADFS and backups.
- Source code review for in-house admin tooling and automation interacting with vCenter and ESXi, to find hard-coded credentials, weak authentication and unsafe remote command features that could amplify BRICKSTORM access.
- IoT and device testing where operational or branch infrastructure relies on virtualized backends, checking whether appliance or OT compromises can realistically be used as stepping stones to vSphere.
Practical next steps for CTOs and CISOs
Short term, leadership teams should push for:
- An immediate review and tightening of vCenter and ESXi access, focusing on external exposure, MSP accounts and service account privileges.
- Enabling and centralizing detailed logging on vCenter, ESXi and ADFS, and hunting for snapshot abuse, rogue VMs and unusual VSOCK or WebSocket patterns.
- Commissioning focused VAPT on virtualization and management planes with a partner like Cybitrock, using BRICKSTORM scenarios as a threat model rather than treating this as just “another malware family.”
The deeper lesson from BRICKSTORM is simple: whoever owns your virtualization layer owns your organization. Treat vSphere as a primary security asset, validate it aggressively and regularly, and you turn a strategic weakness into a controlled and monitored foundation.
