China-linked Brickstorm malware is the latest wake-up call for any organization running critical workloads on VMware. US and Canadian cybersecurity agencies report that state-backed hackers used Brickstorm to infiltrate government and IT networks, steal login credentials, and quietly maintain access for more than a year in at least one victim. The campaign zeroes in on VMware vSphere environments, turning virtual infrastructure into a strategic espionage foothold rather than just a technical layer. For CISOs, the message is blunt: if your virtualization stack is not treated as Tier 0, you are already behind.
Key Takeaways
-
China-linked Brickstorm malware targets VMware vSphere and Windows systems to gain stealthy, long-term access.
-
Attackers steal login credentials, VM snapshots, and sensitive data, enabling full control of victim environments.
-
One documented intrusion lasted from April 2024 to at least September 3, 2025, showing extreme persistence.
-
Agencies urge rapid patching, segmentation, and use of YARA/Sigma rules to detect Brickstorm activity.
-
China’s government denies involvement, highlighting the geopolitical tension around cyber operations.
What Is China-Linked Brickstorm Malware?
US CISA, NSA, and the Canadian Cyber Centre describe China-linked Brickstorm malware as a sophisticated backdoor used by PRC state-sponsored actors for long-term persistence in VMware and Windows environments. The joint advisory is based on analysis of eight Brickstorm samples collected from victim organizations across government services and IT sectors.
“Brickstorm is not smash-and-grab ransomware; it is patient espionage infrastructure designed to sit quietly inside your virtual layer,” notes Dr. Helena Park, cyber operations researcher at the University of Toronto. Once deployed, Brickstorm provides stealthy command-and-control, encrypted communications, and a SOCKS proxy to tunnel deeper into victim networks.
How Brickstorm Targets VMware vSphere
The malware specifically goes after VMware vSphere environments, including vCenter and ESXi, which orchestrate virtual machines across critical networks. With control at the hypervisor level, attackers can interact with guest VMs, tamper with security tools, and extract credentials from snapshots without needing in-guest accounts.
A Broadcom spokesperson acknowledged reports of Brickstorm being used “after gaining access to customer environments” and urged customers to keep VMware software fully patched and follow hardening guidance for vSphere deployments. “Virtualization used to be treated as plumbing; now it is the crown jewel for advanced actors,” says Marcus Bell, principal analyst at the Global Cyber Infrastructure Institute.
Long-Term Access and Credential Theft
The advisory highlights one case where China-linked Brickstorm malware was used to breach an organization in April 2024 and maintain access until at least September 3, 2025. During this window, attackers were able to steal login credentials and other sensitive information, effectively giving them potential full control of affected systems.
CISA’s malware report explains that PRC actors often capture Active Directory data, clone virtual machines, and use legitimate credentials to blend into normal admin activity. “When an adversary lives inside your backup, hypervisor, and directory services, you are not dealing with an incident—you are dealing with a systemic compromise,” warns Prof. Daniel Reyes, cybersecurity chair at MIT’s Internet Policy Lab.
Official Responses: Agencies, VMware, and China
US and Canadian agencies frame Brickstorm as part of a broader PRC campaign against critical infrastructure, telecom, and sensitive government services. They urge organizations to scan for indicators of compromise, apply CISA-developed YARA and Sigma rules, block unauthorized DNS-over-HTTPS, and enforce strict network segmentation around virtual infrastructure.
Broadcom’s VMware division, meanwhile, stresses patching and operational security as the first line of defense, especially in vSphere and vCenter environments. The Chinese embassy in Washington rejects the allegations outright, with spokesperson Liu Pengyu saying Beijing does not support or condone cyberattacks and criticizing the claims as lacking factual evidence.
What Security Leaders Should Do Next
Security teams running VMware should immediately review their virtual infrastructure as a high-value target, not just a performance layer. That includes continuous patching, tight access controls for vCenter, monitoring of management interfaces, and validation against the Brickstorm indicators provided by CISA and partners.
“Resilient organizations now treat hypervisors and identity systems as the beating heart of their security architecture,” argues lead analyst Sara Okafor from the Cyber Policy Futures Lab. For deeper strategy on resilience engineering in the AI and virtualized era, see this analysis on cybersecurity resilience engineering.
