U.S. and Canadian cybersecurity agencies warned that China-linked actors deployed a sophisticated backdoor called BRICKSTORM to maintain persistent access to government and IT environments, including VMware vSphere instances. The joint NSA/CISA advisory provides indicators of compromise, detection guidance, and urges patching, hunting for artifacts, and reporting compromises.

U.S. and Canadian cyber agencies released a joint advisory describing BRICKSTORM, a stealthy backdoor used by China-linked actors to establish long-term presence in government and commercial IT environments. The advisory documents techniques for initial intrusion, persistence mechanisms targeting VMware vSphere infrastructure, and post-compromise actions such as credential harvesting, data exfiltration and tooling that could enable future disruption or sabotage. Agencies provided detailed indicators of compromise and detection steps aimed at log review, artifact hunting, and network behavior analysis. Organizations are urged to apply available patches, isolate affected systems, and report incidents to national cyber centers to support coordinated response and attribution. The advisory emphasizes the danger of compromised virtualization management planes that can expose many hosted workloads and credentials. It also includes recommended mitigations like multifactor authentication, privileged access restrictions, and enhanced monitoring for lateral movement. The warning frames BRICKSTORM as a strategic threat that elevates operational risk for critical infrastructure and sensitive government data, and it calls for rapid remediation and information sharing to limit persistent adversary footholds.