SafeBreach Coverage for Updated CISA AR25-338A: BRICKSTORM Backdoor

On December 4, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Canadian Centre for Cyber Security jointly released Malware Analysis Report AR25-338A analyzing BrickStorm malware, a sophisticated backdoor attributed to the People’s Republic of China (PRC) state-sponsored cyber actors. The report outlines how attackers leveraged BrickStorm in VMware vSphere and Windows environments to achieve long-term persistence, perform credential theft, exfiltrate data, and conduct stealthy command-and-control operations.

BrickStorm is designed for durability and stealth. It blends its traffic with legitimate HTTPS/WebSocket activity, uses DNS-over-HTTPS for C2 discovery, and employs multiple persistence mechanisms—including modifying VMware init scripts and self-watching process logic. It also includes SOCKS proxy functionality for lateral movement and full file-system manipulation.

​​The SafeBreach Labs team responded quickly to this alert, evaluating existing coverage and providing new coverage to help organizations quickly validate their exposure in light of this significant threat. The SafeBreach Exposure Validation Platform includes simulations aligned to BrickStorm’s TTPs across initial access, persistence, privilege escalation, command and control, and exfiltration.

In the blog below, we will share an overview of the threat, highlight key techniques used, and identify new and existing attack content relevant to BrickStorm malware that is now available within the SafeBreach Exposure Validation Platform.

Understanding the BrickStorm Threat

According to CISA’s analysis of eight malware samples, BrickStorm:

• Is a Go-based ELF backdoor primarily designed for VMware vCenter and ESXi systems.
• Enables long-term persistence through executable copying, environment-variable checks, and modified VMware init scripts.
• Uses DNS-over-HTTPS, nested TLS, and WebSockets for secure, highly obfuscated C2 channels.
• Provides interactive shell access, file manipulation, and SOCKS proxy capabilities.
• Has some variants that include VSOCK-based communication,  specifically engineered for virtualized environments.

Notably, CISA observed nation-state actors leveraging BrickStorm to steal VM snapshots for credential extraction and to create hidden rogue VMs—activities aligned with long-term espionage and operational persistence.

Key Techniques Used by BrickStorm

Initial Access & Lateral Movement

• Use of web shells to compromise DMZ web servers (T1505.003).
• Lateral movement via RDP using valid service account credentials (T1078, T1021.001).
• Collection of NTDS.dit from domain controllers (T1003.003).
• Movement into VMware vCenter environments using compromised MSP credentials.

Persistence

• Modification of VMware boot initialization scripts in /etc/sysconfig/ to force BRICKSTORM execution at startup (T1037).
• Self-copying and PATH hijacking to guarantee execution precedence (T1574.007).
• Self-watching processes to restart or reinstall when terminated.

Defense Evasion

• Masquerading as legitimate VMware binaries (e.g., vmware-sphere, vnetd, vami), including consistent naming patterns seen in CISA’s sample metadata.
• Use of multiple encryption layers, including nested TLS inside WebSockets.
• Blending in with legitimate web traffic by serving HTML, CSS, and JavaScript files.
  

Command & Control

• DNS-over-HTTPS lookups to resolve C2 server IPs using Cloudflare, Google, Quad9, and NextDNS resolvers.
• Secure WebSocket connections are upgraded from HTTPS and authenticated through hard-coded cryptographic keys.
• Multiplexed communication channels using smux/Yamux.
  

Post-Exploitation & Exfiltration

• Full shell access for arbitrary command execution.
• File manipulation: upload, download, delete, slice, and checksum operations.
• Exfiltration over the C2 channel (T1041).
• SOCKS proxy capabilities enable stealthy pivoting inside target networks.
  

SafeBreach Coverage & Playbook Updates

As soon as details were made available, the SafeBreach Labs teams added new attacks based on the analysis report and mapped existing attacks in the Hacker’s Playbook based on that. It is important to note that existing SafeBreach customers already have some coverage against the BrickStorm malware identified in this alert. Please run/re-run the attacks listed below to ensure your environment is protected against these TTPs.

Updated Existing Behavioral Attacks 

• #100  – Covert data asset exfiltration over TCP (Data)
• #125  – Covert data asset exfiltration over TLS
• #131  – Data asset exfiltration over UDP
• #903  – Covert data asset exfiltration over DNS
• #1438 – Covert data asset exfiltration over ICMP
• #6473 – Agentless lateral movement via RDP
• #6483 – Agentless lateral movement via SMB and RCE, using Token duplication
• #6513 – Agentless lateral movement via SMB and RCE, using Mimikatz
• #6550 – Agentless lateral movement via SMB and RCE, using Impersonated user
• #6584 – File download from a DNSlivery server
• #6807 – Extract credentials from ntds.dit file using volume shadow copy
• #6909 – RDP Connection Between 2 Simulators
• #7223 – NTDS.dit dump using ntdsutil
• #10482  – DNS resolution to malicious domain using organization DNS server
• #11380  – C2 communication over an encrypted channel

As new indicators, signatures, or variants emerge, SafeBreach continuously updates our Hacker’s Playbook to maintain complete coverage for the BrickStorm campaign.

Recommended Actions for Defenders

Based on CISA, NSA, and Cyber Centre guidance, organizations should:

• Upgrade VMware vSphere systems and harden configurations.
• Block unauthorized DoH providers to prevent covert C2 resolution.
• Review service account usage and enforce least privilege.
• Disable RDP/SMB pathways between DMZ and internal networks where possible.
• Increase monitoring of vCenter logs for anomalies (e.g., hidden VM creation, snapshot access).

SafeBreach customers can simulate these threat techniques on-demand to confirm whether their controls detect and block the specific TTPs outlined in AR25-338A.

What You Should Do Now

Method 1

From the SafeBreach homepage, select Explore Scenarios in the CISA Alert AR25-338A New Coverage pop-up.

Method 2 

Navigate to the “SafeBreach Scenarios” page and select the CISA Alert AR25-338A scenario.

Method 3

From the Known Threats Series report, select CISA Alert AR25-338A and select Run Simulations, which will run all attack methods.

Stay Ahead of Nation-State Threats

BrickStorm underscores the sophistication of modern cyber-espionage operations, particularly those targeting virtualization layers that often lack robust monitoring. 

SafeBreach’s platform allows organizations to test their resilience against this class of threat, validating that detection and response tools perform as expected against real-world attacker behaviors. Run the latest SafeBreach simulations today to ensure your defenses stand ready against this latest threat.