{ "id": "99fe3c8a-7a4b-42c2-84c6-a72948934edc", "created_at": "2026-04-06T00:19:51.836584Z", "updated_at": "2026-04-10T13:12:34.117245Z", "deleted_at": null, "sha1_hash": "173af10e6832559c4e2d9cb6b7c5258a4d342369", "title": "BRICKSTORM Backdoor | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1082583, "plain_text": "BRICKSTORM Backdoor | CISA\r\nPublished: 2026-02-11 · Archived: 2026-04-05 22:56:21 UTC\r\nMalware Analysis at a Glance\r\nMalware\r\nName    \r\nBRICKSTORM\r\nOriginal\r\nPublication\r\nDec. 4, 2025 \r\nLast Update Feb. 11, 2026 \r\nExecutive\r\nSummary\r\nThe Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA),\r\nand Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC)\r\nstate-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim\r\nsystems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share\r\nindicators of compromise (IOCs) and detection signatures based off analysis of 12 BRICKSTORM\r\nsamples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures\r\nto identify BRICKSTORM malware samples.\r\nLast Update\r\nDescription\r\nCISA, NSA, and Cyber Centre updated this Malware Analysis Report on Feb. 11, 2026, with\r\nanalysis, IOCs, and detection signatures from a new variant of BRICKSTORM.\r\nKey Actions\r\nUse the IOCs and detection signatures to identify BRICKSTORM samples.\r\nIf BRICKSTORM, similar malware, or potentially related activity is detected, report the\r\nincident to CISA, Cyber Centre, or required authorities immediately.\r\nIndicators of\r\nCompromise\r\nFor a downloadable copy of IOCs associated with this malware, see: \r\nMAR-251165.c1.v1.CLEAR (Dec. 4, 2025)\r\nMAR-2512217.c1.v2.CLEAR (Dec. 19, 2025)\r\nMAR-261234.c1.v1.CLEAR (Feb. 11, 2026)\r\nDetection\r\nThis Malware Analysis Report includes YARA and Sigma rules.\r\nFor a downloadable copy of the Sigma rules associated with this malware, see: AR25-338A Sigma\r\nYAML.\r\nIntended\r\nAudience\r\nOrganizations: Government and critical infrastructure organizations.\r\nRoles: Digital forensics analysts, incident responders, vulnerability analysts, system administrators\r\nDownload the\r\nPDF version of\r\nthis report\r\nMalware Analysis Report Brickstorm Backdoor (PDF, 1.19 MB )\r\nIntroduction\r\nNote: This Malware Analysis Report was originally published Dec. 4, 2025, to share indicators of compromise (IOCs) and\r\ndetection signatures for BRICKSTORM malware. The Cybersecurity and Infrastructure Security Agency (CISA), National\r\nSecurity Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) have updated this Malware Analysis Report\r\nthree times.\r\nDec. 19, 2025, with IOCs and detection signatures for three additional BRICKSTORM samples. See Appendix C:\r\nDec. 19, 2025, Updates and Table 12.\r\nJan. 20, 2026, with detection signatures. See Table 12.\r\nFeb. 11, 2026, with analysis, IOCs, and detection signatures for an additional sample of BRICKSTORM. This sample\r\nis a different variant than the other samples. See Appendix D: Feb. 11, 2026, Updates and Table 12.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 1 of 31\n\nCISA, NSA, and Cyber Centre assess People’s Republic of China (PRC) state-sponsored cyber actors are using\r\nBRICKSTORM malware for long-term persistence on victim systems. Victim organizations are primarily in the Government\r\nServices and Facilities and Information Technology Sectors. BRICKSTORM is a sophisticated backdoor for VMware\r\nvSphere (specifically VMware vCenter servers,1 VMware ESXI,2 and VMware Aria Automation Orchestrator) and\r\nWindows environments.3\r\nThese cyber actors have been observed targeting VMware vSphere platforms. Once compromised, the cyber actors can use\r\ntheir access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and\r\ncreate hidden, rogue VMs. See CISA’s Alert PRC State-Sponsored APT Actors Employ BRICKSTORM Malware Across\r\nPublic Sector and Information Technology.\r\nCISA analyzed 12 BRICKSTORM samples obtained from victim organizations, including an organization where CISA\r\nconducted an incident response engagement. (CISA initially analyzed eight samples. The Dec. 19, 2025, update includes\r\nanalysis of three additional samples and the Feb. 11, 2026, update includes analysis of one sample.)\r\nAt the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors\r\ngained long-term persistent access to the organization’s internal network in April 2024 and uploaded BRICKSTORM\r\nmalware to an internal VMware vCenter server. They also gained access to two domain controllers and an Active Directory\r\nFederation Services (ADFS) server. They successfully compromised the ADFS server and exported cryptographic keys. The\r\ncyber actors used BRICKSTORM for persistent access from at least April 2024 through at least Sep. 3, 2025.\r\nCISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures in this Malware Analysis Report\r\nto identify BRICKSTORM malware samples. If identified, follow the guidance in the Incident Response section.\r\nDownload the PDF version of this report: \r\nFor a downloadable copy of IOCs associated with this malware, see: \r\n(Dec. 4, 2025)\r\n(Dec. 19, 2025)\r\n (Feb. 11, 2026)\r\nFor a downloadable copy of the Sigma rule associated with this malware, see: \r\nFor more information on PRC state-sponsored cyber activity, see CISA’s People’s Republic of China Threat Overview and\r\nAdvisories webpage.\r\nMalware Summary\r\nBRICKSTORM is a custom Executable and Linkable Format (ELF) Go-or Rust-based backdoor (eight originally analyzed\r\nsamples are Go-based, and two of the three new samples in the Dec. 19, 2025, update are Rust-based). The analyzed\r\nsamples differ in function, but all enable cyber actors to maintain stealthy access and provide capabilities for initiation,\r\npersistence, and secure command and control (C2). Even though the analyzed samples were for VMware vSphere\r\nenvironments, there is reporting about Windows versions.\r\nBRICKSTORM initiates by running checks and maintains persistence by using a self-watching function and automatically\r\nreinstalls or restarts if disrupted.\r\nFor C2, BRICKSTORM uses multiple layers of encryption (HTTPS, WebSockets, nested Transport Layer Security [TLS]) to\r\nhide its communications with the cyber actors’ C2 server. It also uses DNS-over-HTTPS (DoH) and mimics web server\r\nfunctionality to blend its communications with legitimate traffic. For remote system control, BRICKSTORM gives cyber\r\nactors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate\r\nfiles. In addition, some samples act as a SOCKS proxy, facilitating lateral movement and allowing cyber actors to\r\ncompromise additional systems.\r\nMalware Delivery\r\nNote: This advisory uses the MITRE ATT\u0026CK® Matrix for Enterprise framework, version 18. See Appendix A:\r\nMITRE ATT\u0026CK Techniques for tables mapping the cyber actors’ activity to MITRE ATT\u0026CK tactics and techniques.\r\nAt the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors\r\naccessed a web server on April 11, 2024. The web server was inside the organization’s demilitarized zone (DMZ), and cyber\r\nactors accessed it through a web shell [T1505.003 ] present on the server. Incident data does not indicate how they\r\nobtained initial access to the web server or when the web shell was implanted. On the same day, the cyber actors used\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 2 of 31\n\nservice account credentials [T1078 ] to move laterally using Remote Desktop Protocol (RDP) [T1021.001 ] from the\r\nweb server to a domain controller in the DMZ, from which they copied the Active Directory (AD) database ( ntds.dit )\r\n[T1003.003 ].\r\nOn April 12, 2024, the cyber actors moved laterally from the web server to a domain controller within the internal network\r\nusing RDP and credentials associated with a second service account. It is unknown how they obtained the credentials.\r\nSubsequently, they copied the AD database, obtaining credentials for a managed service provider (MSP) account. Using the\r\nMSP credentials, the cyber actors proceeded to move from the internal domain controller to the VMware vCenter server. \r\nFrom the web server, the actors also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS\r\nserver, from which they exfiltrated cryptographic keys. See Figure 1 for a diagram of the cyber actors’ movement.\r\nFigure 1. PRC State-Sponsored Cyber Actors’ Lateral Movement\r\nAfter gaining access to vCenter, the cyber actors elevated privileges using the sudo command [T1548.003 ], dropped\r\nBRICKSTORM malware in the server’s /etc/sysconfig/ directory [T1105 ], and modified the system’s init file in\r\n/etc/sysconfig/ to run BRICKSTORM.\r\nThe modified init file controls the bootup process [T1037 ] on VMware vSphere systems and executes\r\nBRICKSTORM. Typically, this file is used to define certain visual variables for the bootup process. After the setting for\r\nvisual variables, an additional line was added to the script to execute BRICKSTORM from the hard-coded file path\r\n/etc/sysconfig/ .\r\nNote: CISA is still completing analysis to understand the malicious activity and full impact of the compromise.\r\nMalware Metadata\r\nSee Table 1 through Table 8 for metadata of the analyzed malware. See Appendix C: Dec. 19, 2025, Updates for metadata\r\nof Samples 9 through 11 and Appendix D: Feb. 11, 2026, Updates for metadata of Sample 12.\r\nTable 1. BRICKSTORM Sample 1\r\nFile Name vmsrc\r\nSize 7692288 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMD5 8e4c88d00b6eb46229a1ed7001451320\r\nSHA1 9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54\r\nSHA256 aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38\r\nSHA512 5e654776e9c419e11e6f93a452415a601bd9a2079710f1074608570e498a9af37b81bb57c98cb8bb626c5ee4b3e35757d3ae8c1c3717f28\r\nssdeep 49152:9lDeYNeYunc1S3/U05q+CIKUbwgBfd1Vww/uUJSZina/TokDDko0n8oQhEoAgsUJ:O3lcE380sIDbdB11p3i/TokEIowlb/r\r\nEntropy 5.993799\r\nTable 2. BRICKSTORM Sample 2\r\nFile\r\nName\r\nvnetd\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 3 of 31\n\nSize 26603668 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMD5 39111508bfde89ce6e0fe6abe0365552\r\nSHA1 f639d9404c03af86ce452db5c5e0c528b81dc0d7\r\nSHA256 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf\r\nSHA512 74b4c6f7c7cae07c6f8edf3f2fb1e9206d4f1f9734e8e4784b15d192eec8cd8a4f59078fc0c56dc4ad0856cdd792337b5c92ffd3d2240c8a287\r\nssdeep 196608:GbkKsdDjru3WUIOsW5SYVRk/Qvk1LzK3RMxy2wBW:GwKMjr3Os4k/QiLzERMMdW\r\nEntropy 6.211446\r\nTable 3. BRICKSTORM Sample 3\r\nFile\r\nName\r\nif-up\r\nSize 15511700 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMD5 dbca28ad420408850a94d5c325183b28\r\nSHA1 fb11c6caa4ea844942fe97f46d7eb42bc76911ab\r\nSHA256 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d\r\nSHA512 659205fa2cfa85e484c091cc2e85a7ec4e332b196e423b1f39bafdc8fca33e3db712bbe07afcc091ff26d9b4f641fa9a73f2a66dce9a0ced54eb\r\nssdeep 98304:dzB06b0KX4Mnb+sJf+AjBzH3MF4m1d4U2TuAJ5VGY3glknTSk2nH:dFQKIsJBBzXMum83RJ5VGY3gS2nH\r\nEntropy 6.102490\r\nTable 4. BRICKSTORM Sample 4\r\nFile\r\nName\r\nviocli\r\nSize 6311936 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMD5 0a4fa52803a389311a9ddc49b7b19138\r\nSHA1 97001baaa379bcd83677dca7bc5b8048fdfaaddc\r\nSHA256 b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a\r\nSHA512 65ebf5dfafb8972ffead44271436ec842517cfaaf3d1f1f1237a32d66e1d280943bd3a69f1d539a1b7aca6152e96b29bc822e1047e2243f6aec\r\nssdeep 49152:BgClz8/9cMSThwhWyh/zypzOzRzqm9hRp6FY+fAn/bkNqr+HfHF2xkdpb3gAiDli:W08/9I6WMzUcRz9zvn//Z5D\r\nEntropy 6.005898\r\nTable 5. BRICKSTORM Sample 5\r\nFile\r\nName\r\nvts\r\nSize 6303744 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMD5 82bf31e7d768e6d4d3bc7c8c8ef2b358\r\nSHA1 de28546ec356c566cd8bca205101a733e9a4a22d\r\nSHA256 22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b\r\nSHA512 4c52caf2e5f114103ed5f60c6add3aa26c741b07869bb66e3c25a1dc290d4a8bf87c42c336e8ac8ebf82d9a9b23eaa18c31f7051a5970a8fe11\r\nssdeep 49152:uP9kPWdmrJl+9zxKsSJ32ssUZGHZ9ECKDfvCb3XKRbaYJcRHMH9xkdgY3gqF2HxR:yqWdmd4x5SgssUZ0OCKDfvChYrR\r\nEntropy 6.005438\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 4 of 31\n\nTable 6. BRICKSTORM Sample 6\r\nFile\r\nName\r\nvmckd\r\nSize 6311936 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMD5 18f895e24fe1181bb559215ff9cf6ce3\r\nSHA1 c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4\r\nSHA256 f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506\r\nSHA512 79276523a6a507e3fa1b12b96e09b10a01c783a53d58b9ae7f5780a379431639a80165e81154522649b8e2098e86d1a310efffebe32faafc7b\r\nssdeep 49152:6XUQ9anktEg7z/QbPB83A+FQGQzqufqCjt2F81jh+eS53OOwJylHJHuxkdqz3gHG:mVankxn2Pe3JQGQz57t2Y4f3TwrQHAz\r\nEntropy 6.005752\r\nTable 7. BRICKSTORM Sample 7\r\nSize 8332689 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMD5 a52e36a70b5e0307cbcaa5fd7c97882c\r\nSHA1 44a3d3f15ef75d9294345462e1b82272b0d11985\r\nSHA256 39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46\r\nSHA512 bbe18d32bef66ccfa931468511e8ba55b32943e47a1df1e68bb5c8f8ae97a5bf991201858ae9632fa24df5f6c674b6cb260297a1c11889ca61b\r\nssdeep 98304:78Se5lqfYMKDdopPx0E4j+dM/GLaCXNwqYL6wt/5APUnb:78Se54fYMUaiE4j+dM/GLaCXNmLP+\r\nEntropy 6.063930\r\nTable 8. BRICKSTORM Sample 8\r\nSize 8332689 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMD5 a02469742f7b0bc9a8ab5e26822b3fa8\r\nSHA1 10d811029f6e5f58cd06143d6353d3b05bc06d0f\r\nSHA256 73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5\r\nSHA512 8e29aeb3603ffe307b2d60f7401bd9978bebe8883235eb88052ebf6b9e04ce6bf35667480cedea5712c1e13e8c6dcfb34d5fde0ddca6ca3132\r\nssdeep 98304:78Se5lqfYMKDdopPx0E4j+dM/GLaCXNwqYL6wt/5APUnU:78Se54fYMUaiE4j+dM/GLaCXNmLP+\r\nEntropy 6.063928\r\nMalware Functionality\r\nNote: This analysis is of Samples 1 through 8. See Appendix C: Dec. 19, 2025, Updates for functionality of Samples 9\r\nthrough 11.\r\nAll analyzed samples enable cyber actors to maintain stealthy access and provide capabilities for environment configuration\r\n(initiation), persistence, and secure C2. While initiation and persistence functions are similar across the samples, the secure\r\nC2 function varies. BRICKSTORM uses custom handlers to set up a SOCKS proxy, create a web server on the\r\ncompromised system, and execute commands on the compromised system.\r\nSamples 7 and 8 were designed to work in virtualized environments, using a virtual socket (VSOCK) interface to enable\r\ninter-VM communication, facilitate data exfiltration, and maintain persistence.\r\nMost samples used Exclusive OR (XOR) cipher encryption to hide key strings, such as the Internet Protocol version 4 (IPv4)\r\naddresses of public DoH servers, within their code.\r\nInitiation Capabilities\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 5 of 31\n\nUpon execution, BRICKSTORM runs checks and can reinstall and restart itself to maintain persistence. BRICKSTORM\r\ninitiates a function (referred to as main_startNew in some samples) to configure environment variables specific to the\r\ncompromised environment, enabling it to operate effectively. Following this, BRICKSTORM identifies if it is already in its\r\nintended state and proceeds to continue running, copy itself for execution, or terminate based on the following logic:\r\n1. Environment Variable Check: BRICKSTORM checks a specified environment variable (differs by sample; see\r\nTable 9) to determine if it is running as a child process (to identify if it is running in its intended state).\r\n1. If the specified variable is set, indicating it is running as a child process, BRICKSTORM continues its code\r\nexecution.\r\n2. If the specified variable is not set (indicating it is not running as a child process), BRICKSTORM checks\r\nwhether it is executing from /etc/sysconfig/ (Samples 1 through 2 and 4 through 7) or\r\n/etc/sysconfig/network/ (Sample 3) by attempting to load file contents from that path.\r\n2. File Path Validation and Copying: If BRICKSTORM is running from the validated path, it copies itself to a\r\nspecific location with a specific file name.\r\n1. Next, the parent BRICKSTORM instance modifies the PATH environment variable by appending the copied\r\nlocation’s path [T1574.007 ]. This ensures the newly copied version of BRICKSTORM will be executed\r\nfirst if any commands or processes attempt to run VMware vSphere.\r\n2. The parent instance subsequently executes the copied instance of BRICKSTORM with the specified variable\r\nset in the context of the child process and terminates its own execution.\r\n3. Termination: If BRICKSTORM is not running from the validated path, it terminates its own execution.\r\nSee Figure 2 for the operational flow of the malware.\r\nFigure 2. BRICKSTORM Operational Flow, Malware Initiation\r\nSee Table 9 for checked variables, copied locations, and copied file names of the analyzed samples.\r\nTable 9. BRICKSTORM Initiation Checks and Copied File Information\r\nSample\r\nChecked Environment Variable to Determine if\r\nRunning as a Child Process\r\nCopied Location\r\nCopied File\r\nName\r\nSample\r\n1\r\nVMware [T1036 ] /opt/vmware/sbin vmware-sphere\r\nSample\r\n2\r\n[redacted]ET4\r\n/usr/java/jre-vmware/bin/\r\nupdatemgr\r\nSample\r\n3\r\nCZePMeGj etc/applmgmt/appliance/ vami\r\nSample\r\n4\r\n[redacted]NET6\r\n/usr/java/jre-vmware/bin/\r\nupdatemgr\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 6 of 31\n\nSample\r\nChecked Environment Variable to Determine if\r\nRunning as a Child Process\r\nCopied Location\r\nCopied File\r\nName\r\nSample\r\n5\r\nFIOON\r\n/usr/java/jre-vmware/bin/\r\nupdatemgr\r\nSample\r\n6\r\n[redacted]NET4\r\n/usr/java/jre-vmware/bin/\r\nupdatemgr\r\nSample\r\n7\r\nVREG    \r\nSample\r\n8\r\nVARGS    \r\nPersistence Capabilities\r\nTo ensure its continued operations, BRICKSTORM uses built-in self-monitoring and persistence capabilities while running.\r\nSpecifically, it has a built-in self-watching function (referred to as main_selfWatcher in some samples) to maintain\r\npersistence. This function monitors if BRICKSTORM is running correctly and, if not, BRICKSTORM reinstalls and\r\nexecutes itself, mirroring its initiation capabilities.\r\nThe self-watching function begins by checking a specific environment variable (see Table 10) to confirm whether\r\nBRICKSTORM is running as an active process. If the check returns a false value (indicating the variable is not set),\r\nBRICKSTORM assumes it is not running properly. In response, BRICKSTORM re-installs itself from predefined file path\r\n— /etc/sysconfig/ (Samples 1 through 2 and 4 through 8) or /etc/sysconfig/network/ (Sample 3)—to a new location\r\n(the file name of the new BRICKSTORM instance and location copied varies by sample; see Table 10). BRICKSTORM\r\nthen updates the PATH environment variable to include the new file location, ensuring the newly copied backdoor file is\r\nexecuted first. Subsequently, the parent instance terminates its own execution, allowing the new process to take over.\r\nIf the initial checks confirm that BRICKSTORM is running as intended (the variable is set), the self-watcher function allows\r\nthe code to continue its operations.\r\nSee Table 10 for details on checked variables, processes, copied locations, and file names associated with the analyzed\r\nsamples.\r\nTable 10. BRICKSTORM Checked Variables, Processes, and Copied Names and Locations\r\nSample\r\nChecked Environment\r\nVariable\r\nChecked Process\r\nExistence\r\nCopies To\r\nNewly Copied File\r\nName\r\nSample\r\n1\r\nSphere vmware-sphere /opt/vmware/sbin/ vmware-sphere\r\nSample\r\n2\r\n[redacted]NET3 vnetd /usr/java/jre-vmware/bin/ updatemgr\r\nSample\r\n3\r\nrcMJVF vami /etc/applmgmt/appliance/ vami\r\nSample\r\n4\r\n[redacted]NET5 updatemgr /usr/java/jre-vmware/bin/ updatemgr\r\nSample\r\n5\r\nDIGNN updatemgr /usr/java/jre-vmware/bin/ updatemgr\r\nSample\r\n6\r\n[redacted]NET3 updatemgr /usr/java/jre-vmware/ updatemgr\r\nSample\r\n7\r\nVREG      \r\nSample\r\n8\r\nVARGS      \r\nSecure Command and Control\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 7 of 31\n\nAfter passing initiation checks, BRICKSTORM establishes a connection to a C2 server, secures communications with the\r\nserver, and enables cyber actors’ full control over the compromised system. This control includes capabilities such as file\r\nsystem management and interactive shell access. In most samples, BRICKSTORM also provides a SOCKS proxy to\r\nfacilitate tunneling and lateral movement.\r\nThe implementation of these capabilities varies across samples, with notable differences in Samples 7 and 8, which\r\nspecifically target virtualized environments.\r\nSample 1\r\nInitial Connection to the C2 Server: Sample 1 first creates an encrypted Domain Name System (DNS) query for a hard-coded C2 domain (the domain has been redacted from this report because according to public reporting, the cyber threat\r\nactors are not reusing C2 domains).4 The sample uses DoH to resolve the address of its C2 servers by sending an encrypted\r\nHTTPS request to one of the following legitimate public DoH resolvers [T1071.001 ]:\r\nhttps[:]//1.0.0[.]1/dns-query (Cloudflare)\r\nhttps[:]//1.1.1[.]1/dns-query (Cloudflare)\r\nhttps[:]//8.8.4[.]4/dns-query (Google)\r\nhttps[:]//8.8.8[.]8/dns-query (Google)\r\nhttps[:]//9.9.9[.]9/dns-query (Quad9)\r\nIf the C2 domain is not found in the public DoH resolver cache, the legitimate resolver forwards the request to the next\r\nserver in the DNS hierarchy, ultimately reaching the threat actors’ DNS server. The DNS server responds with the correct IP\r\naddress for the domain. The response is sent back through the legitimate DoH resolver to BRICKSTORM, which receives\r\nthe encrypted response, decrypts it to get the C2 server’s IP address, and establishes a connection.\r\nEstablishing Secure Communications: Sample 1 establishes an encrypted connection to the C2 server using HTTPS, then\r\nupgrades the session to WebSockets with an additional layer of TLS encryption. To do this, Sample 1 first communicates\r\nover HTTPS with a specific legitimate cloud platform (redacted). The sample then sends an HTTP upgrade request to\r\nconvert the initial encrypted HTTPS connection into a persistent WebSocket connection: wss://[REDACTED].com/api .\r\nSample 1 nests additional layers of TLS encryption within the WebSocket session and performs a series of nested TLS\r\nhandshakes within the established WebSocket tunnel. The first handshake is the standard TLS handshake for the initial\r\nHTTPS request to the cloud platform. The second TLS handshake occurs within the WebSocket tunnel, during which\r\nBRICKSTORM authenticates itself to the C2 server using a hard-coded key.\r\nUpon successful authentication, BRICKSTORM establishes a multiplexing layer, which allows it to send multiple\r\ncommands and data streams over the same connection. It does this using both Simple Multiplexing ( smux ) and Yet Another\r\nMultiplexer ( Yamux ) libraries to create virtual streams over a single underlying TLS-secured connection based on client\r\nconfiguration or handshake data. Multiplexing conceals threat actor activity by embedding multiple commands and network\r\ntunnels within a single encrypted stream.\r\nSee Figure 3 for the applicable decompiler output.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 8 of 31\n\nFigure 3. BRICKSTORM Decompiler Output for Establishing Secure Connections\r\nFull System Control: Once the secure connection to the C2 domain is established, Sample 1 uses a custom Go package\r\nwssoft2 to manage incoming network connections and to process commands it receives. Commands are directed to one of\r\nthree handlers based on the function it needs: SOCKS Handler, Web Service Handler, and Command Handler.\r\nThe SOCKS Handler sets up a SOCKS proxy [T1090.001 ] to route C2 traffic and facilitate lateral movement within the\r\nvictim network. To set up the proxy, the handler parses JSON requests from the C2 server. If the request is valid, the handler\r\ndelegates request handling to wssoft2/core/handler/socks.SocksWithLocalAddr , which performs SOCKS relaying and\r\nnetwork tunneling over Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control\r\nMessage Protocol (ICMP).\r\nSee Figure 4 for the handler’s decompiler output.\r\nFigure 4. SOCKS Handler Decompiler Output\r\nThe Web Service Handler establishes covert C2 communication by creating a legitimate-appearing web server on the\r\ncompromised system. It uses the net/http package and gorilla/mux library to create the web server, which includes a\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 9 of 31\n\nhidden Application Programming Interface (API) endpoint for receiving and executing commands from the C2 server. See\r\nFigure 5 for the Web Service Handler decompiler output that sets up specific API endpoints.\r\nFigure 5. Web Service Handler Decompiler Output Setting Up the Web Server With Specific API Endpoints\r\nThrough the API, the cyber actors can browse, upload, download, create, delete, and manipulate files and folders on the\r\nvictim’s system. See Table 11 for file management commands contained in BRICKSTORM.\r\nTable 11. BRICKSTORM File Management Commands\r\nCommand Function\r\nfile-md5 Calculates the MD5 checksum of a specified file to verify file integrity.\r\nget-file Downloads a file from the compromised system to the C2 server [T1041 ].\r\nlist-dir Lists the contents of a directory on the compromised system (e.g., browses the file system) [T1083 ].\r\nput-file Uploads a file from the C2 server to the compromised system.\r\nslice-up Reads and downloads specific, partial sections of a file.\r\nTo evade detection, BRICKSTORM serves seemingly legitimate web file types, such as Hypertext Markup Language\r\n(HTML), Cascading Style Sheets (CSS), and JavaScript, from a designated directory.\r\nSee Figure 6 for the Web Service Handler decompiler output.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 10 of 31\n\nFigure 6. Web Service Handler Decompiler Output\r\nThe Command Handler executes shell commands on the compromised system, giving the cyber threat actors full control\r\nover the compromised system through interactive command-line access. The handler receives a JSON request from the C2\r\nserver, parses it, and extracts it. The handler then sets up a pseudo-terminal (a virtual command-line interface) and runs\r\nthe command on the victim system.\r\nSee Figure 7 for the Command Handler decompiler output.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 11 of 31\n\nFigure 7. Command Handler Decompiler Output\r\nSamples 2 Through 6\r\nInitial Connection to the C2 Server: Like Sample 1, these samples create an encrypted DNS query for hard-coded C2\r\ndomains (redacted) and use DoH to resolve the addresses of their C2 servers by sending an encrypted HTTPS request to one\r\nof the following legitimate public DoH resolvers:\r\nhttps[:]//1.0.0[.]1/dns-query (Cloudflare)\r\nhttps[:]//1.1.1[.]1/dns-query (Cloudflare)\r\nhttps[:]//149.112.112[.]11/dns-query (Quad9)\r\nhttps[:]//45.90.28.160/dns-query (NextDNS)\r\nhttps[:]//8.8.4[.]4/dns-query (Google)\r\nhttps[:]//8.8.8[.]8/dns-query (Google)\r\nhttps[:]//9.9.9[.]11/dns-query (Quad9)\r\nhttps[:]//9.9.9[.]9/dns-query (Quad9)\r\nNote: Some of these samples use XOR encryption to decrypt IPv4 addresses for DoH servers.\r\nEstablishing Secure Communications: Like Sample 1, these samples establish WebSocket Secure (WSS) connections with\r\nthe C2 server and set up a multiplexing layer.\r\nFull System Control: Once the connection is established with the C2 server via WebSockets, these BRICKSTORM samples\r\nreceive commands that are directed to one of four specific handlers to perform tasks on the compromised system: SOCKS\r\nHandler, Web Service Handler, Command Handler, or CommandNoContext Handler. The SOCKS, Web Service, and\r\nCommand Handlers function similar to the Sample 1 handlers. The CommandNoContext Handler executes shell commands\r\non the compromised system without using an explicit security context.\r\nSample 7\r\nInitial Connection to the C2 Server: Sample 7 retrieves configuration parameters from environment variables, performs\r\nchecks, generates a TLS configuration used for secure communication to BRICKSTORM’s client, and starts a network\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 12 of 31\n\ncommunications routine. This sample also uses a VSOCK interface to enable inter-VM communication, support data\r\nexfiltration, and maintain persistence in virtualized environments. \r\nUpon execution, Sample 7 retrieves the following three configuration values from environment variables using the\r\nos_Getenv function:\r\nlistenAddr (listen address and port)\r\nlistenPath (listen path to route requests to the WSS connection)\r\npassword (authentication key)\r\nEstablishing Secure Communications: Sample 7 establishes a secure WebSocket server with minimal external\r\ndependencies; specifically, all communication is encrypted using in-memory self-signed certificates. This enables encrypted\r\ncommunication without relying on publicly trusted Certificate Authorities (CAs) or storing certificate files on disk. It\r\ndynamically generates a self-signed X.509 certificate and a corresponding 2048-bit Rivest–Shamir–Adleman (RSA) private\r\nkey in memory, which are loaded into a tls.Certificate struct and assigned to the certificate field’s tls.Config object.\r\nThis allows the server to handle HTTPS/WSS connections using the in-memory self-signed certificate, as standard\r\nNET/HTTP servers are configured to use tls.Config .\r\nSample 7 uses a single, multiplexed connection over secure WebSockets to communicate with a specified C2 address\r\n(retrieved from the listenAddr value) and path (retrieved from the listenPath value). During or before the WSS\r\nhandshake, Sample 7 implements a custom authentication check, involving the specific pre-shared authentication key\r\n(retrieved from password value).\r\nFull System Control: Once the WSS connection with the C2 server is established, Sample 7 processes incoming commands\r\nthrough one of four handlers: Web Service Handler, Command Handler, VSOCK-proxy handler, or VSOCK handler.\r\nThe Web Service Handler functions similar to Sample 1’s Web Service Handler.\r\nThe Command Handler functions similar to Sample 1’s Command Handler.\r\nThe VSOCK-proxy Handler performs VSOCK relaying and network tunneling. It implements a proxy with specific\r\nconfiguration arguments to establish a tunneled connection to process JSON payloads. First, the handler unmarshals the\r\npayload data and extracts and validates the TunnelAddr , Context ID (CID) , Port , and Family configuration\r\narguments. Based on the validated arguments, the handler binds to a specific VSOCK address (defined by the CID and port)\r\nand establishes a connection to the destination specified by TunnelAddr . When the connection is completed or terminated,\r\nthe handler sends an appropriate success or error response back to the client. This functionality enables cyber actors to\r\nmaintain covert communication channels, evade detection, and pivot within virtualized environments.\r\nThe VSOCK Connection Handler creates and connects to VSOCK endpoints to maintain covert connections within the\r\nvirtual environment. It processes incoming network requests containing a JSON payload with specific configuration\r\narguments for connecting to a VSOCK endpoint. The handler extracts the JSON payload from the request and uses a JSON\r\nparser to unmarshal the data into a structured object with fields for  Context (CID) ,  Port , and  Family . The handler\r\nchecks the unmarshalled data for validity and, if the configuration is valid, the handler establishes a connection to a VSOCK\r\nendpoint using a specified CID and port number. If the virtual socket creation is successful, the handler allocates a new\r\nruntime object to hold the CID and port information. If unmarshalling fails, validation fails, or the destination connection\r\ncannot be established, the handler returns an appropriate error to the client.\r\nSample 8\r\nLike Sample 7, Sample 8:\r\nRetrieves C2 parameters ( listenAddr , listenPath , and password ) from environment variables,\r\nUses a self-signed X.509 certificate and a corresponding 2048-bit RSA private key in memory to facilitate encrypted\r\ncommunications without relying on a CA,\r\nEstablishes a secure WebSocket server for encrypted communication, and\r\nDirects commands to specific handlers.\r\nSample 8’s handlers directing commands differ from Sample 7. In addition to a Web Service Handler, Command Handler,\r\nVSOCK-proxy Handler, and VSOCK Connection Handler, Sample 8 also has two additional handlers: The SOCKS Handler\r\n(which functions similar to Sample 1’s SOCKS Handler) and the CommandNoContext Handler (which functions similar to\r\nSamples 2 through 6’s CommandNoContext Handler).\r\nDetection\r\nYARA Rules\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 13 of 31\n\nDeploy the CISA-created YARA rules in Table 12 to detect malicious activity. See Appendix B: Scanning Guidance on\r\nRemote Hosts for guidance on how to identify activity with these rules.  \r\nTable 12. YARA Rules\r\nBRICKSTORM Rule 1\r\nrule CISA_251165_02 : BRICKSTORM backdoor installs_other_components communicates_with_c2 exfiltrates_data\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"251165\"\r\ndate = \"2025-09-29\"\r\nlast_modified = \"202051001_1008\"\r\nactor = \"n/a\"\r\nfamily = \"BRICKSTORM\"\r\ncapabilities = \"installs-other-components communicates-with-c2 exfiltrates-data\"\r\nmalware_type = \"backdoor\"\r\ntool_type = \"unknown\"\r\ndescription = \"Detects Go-Based BRICKSTORM backdoor samples\"\r\nsha256_1 = \"aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38\"\r\nstrings:\r\n$s0 = { 6D 61 69 6E 2E 73 74 61 72 74 4E 65 77 }\r\n$s1 = { 6D 61 69 6E 2E 73 65 6C 66 57 61 74 63 68 65 72 }\r\n$s2 = { 6D 61 69 6E 2E 73 65 74 53 65 72 76 69 63 65 43 66 67 }\r\n$s3 = { 73 6F 63 6B 73 2E 48 61 6E 64 6C 65 53 6F 63 6B 73 52 65 71 75 65 73 74 }\r\n$s4 = { 77 65 62 2E 57 65 62 53 65 72 76 69 63 65 }\r\n$s5 = { 63 6F 6D 6D 61 6E 64 2E 48 61 6E 64 6C 65 54 54 59 52 65 71 75 65 73 74 }\r\n$s6 = { 77 65 62 73 6F 63 6B 65 74 2E 28 2A 57 53 43 6F 6E 6E 65 63 74 6F 72 29 2E 43 6F 6E 6E 65 63 74 }\r\n$s7 = { 66 73 2E 28 2A 57 65 62 53 65 72 76 65 72 29 2E 52 75 6E 53 65 72 76 65 72 }\r\n$s8 = { 68 74 74 70 73 3A 2F 2F 31 2E 30 2E 30 2E 31 2F 64 6E 73 2D 71 75 65 72 79 }\r\n$s9 = { 68 74 74 70 73 3A 2F 2F 31 2E 31 2E 31 2E 31 2F 64 6E 73 2D 71 75 65 72 79 }\r\n$s10 = { 68 74 74 70 73 3A 2F 2F 38 2E 38 2E 34 2E 34 2F 64 6E 73 2D 71 75 65 72 79 }\r\n$s11 = { 68 74 74 70 73 3A 2F 2F 38 2E 38 2E 38 2E 38 2F 64 6E 73 2D 71 75 65 72 79 }\r\n$s12 = { 68 74 74 70 73 3A 2F 2F 39 2E 39 2E 39 2E 39 2F 64 6E 73 2D 71 75 65 72 79 }\r\ncondition:\r\n8 of them\r\n}\r\nBRICKSTORM Rule 2\r\nrule CISA_251155_02 : BRICKSTORM backdoor installs_other_components communicates_with_c2 exfiltrates_data\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 14 of 31\n\nBRICKSTORM Rule 2\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"251155\"\r\ndate = \"2025-09-15\"\r\nlast_modified = \"20250916_1511\"\r\nactor = \"n/a\"\r\nfamily = \"BRICKSTORM\"\r\ncapabilities = \"installs-other-components communicates-with-c2 exfiltrates-data\"\r\nmalware_type = \"backdoor\"\r\ntool_type = \"unknown\"\r\ndescription = \"Detects Go-Based BRICKSTORM backdoor samples\"\r\nsha256_1 = \"320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759\"\r\nsha256_1 = \"dfac2542a0ee65c474b91d3b352540a24f4e223f1b808b741cfe680263f0ee44\"\r\nsha256_1 = \"b91881cb1aa861138f2063ec130b2b01a8aaf0e3f04921e5cbfc61b09024bf12\"\r\nsha256_1 = \"bfb3ffd46b21b2281374cd60bc756fe2dcc32486dcc156c9bd98f24101145454\"\r\nstrings:\r\n$s0 = { 04 30 0F B6 54 04 2C 31 D1 88 4C 04 34 48 FF C0 }\r\n$s1 = { 48 83 F8 04 7C E7 48 C7 04 24 }\r\n$s2 = { 48 8D 44 24 34 48 89 44 24 08 48 C7 44 24 10 04 }\r\n$s3 = { 48 89 44 24 48 48 89 4C 24 50 48 8B 6C 24 38 48 }\r\n$s4 = { 48 83 EC 40 48 89 6C 24 38 48 8D 6C 24 38 C7 44 24 }\r\n$s5 = { 83 EC 38 48 89 6C 24 30 48 8D 6C 24 30 C6 44 24 }\r\n$s6 = { 4C 24 20 48 89 44 24 40 48 89 4C 24 48 48 8B 6C }\r\n$s7 = { 64 48 8B 0C 25 F8 FF FF FF 48 3B 61 10 0F 86 81 }\r\n$s8 = { 64 48 8B 0C 25 F8 FF FF FF 48 3B 61 10 0F 86 91 }\r\ncondition:\r\nall of them\r\n}\r\nBRICKSTORM Rule 3 (Added Dec. 19, 2025)\r\nrule CISA_251155_01 : BRICKSTORM backdoor installs_other_components communicates_with_c2 exfiltrates_data\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"251155\"\r\ndate = \"2025-09-15\"\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 15 of 31\n\nBRICKSTORM Rule 3 (Added Dec. 19, 2025)\r\nlast_modified = \"20250916_1511\"\r\nactor = \"n/a\"\r\nfamily = \"BRICKSTORM\"\r\ncapabilities = \"installs-other-components communicates-with-c2 exfiltrates-data\"\r\nmalware_type = \"backdoor\"\r\ntool_type = \"unknown\"\r\ndescription = \"Detects Go-Based BRICKSTORM backdoor samples\"\r\nsha256_1 = \"2bf9bfa1f9bcbcad0eada7e3be8d380d809248f08609f6e9d971b37ce09f7e93\"\r\nsha256_2 = \"6d42e9a0757670b9837034b5202d1673093577757b44bb0f0253f366413393e9\"\r\nsha256_3 = \"b30041b986ee3231fd53522c9d0c57e4567d6c60959fa06c125dde2af558fc9f\"\r\nstrings:\r\n$s0 = { 88 14 08 48 FF C1 }\r\n$s1 = { 2F 63 6F 72 65 2F 74 61 73 6B 2E 44 6F 54 61 73 6B 2E 66 75 6E 63 31 }\r\n$s2 = { 2F 63 6F 72 65 2F 74 61 73 6B 2E 44 6F 54 61 73 6B 2E 66 75 6E 63 31 2E 32 }\r\n$s3 = { 2F 63 6F 72 65 2F 65 78 74 65 6E 64 73 2F 77 65 62 2E 57 65 62 53 65 72 76 69 63 65 }\r\n$s4 = { 2F 63 6F 72 65 2F 65 78 74 65 6E 64 73 2F 77 65 62 2E 57 65 62 53 65 72 76 69 63 65 2E 66 75 6E 63 31 }\r\n$s5 = { 63 6F 72 65 2F 65 78 74 65 6E 64 73 2F 73 6F 63 6B 73 2E 53 6F 63 6B 73 }\r\n$s6 = { 63 6F 72 65 2F 65 78 74 65 6E 64 73 2F 73 6F 63 6B 73 2E 53 6F 63 6B 73 2E 66 75 6E 63 31 }\r\n$s7 = { 63 6F 72 65 2F 65 78 74 65 6E 64 73 2F 63 6F 6D 6D 61 6E 64 2E 43 6F 6D 6D 61 6E 64 }\r\n$s8 = { 6C 69 62 73 2F 64 6F 68 2E 51 75 65 72 79 }\r\n$s9 = { 2F 76 65 6E 64 6F 72 2F 68 61 73 68 69 63 6F 72 70 2F 79 61 6D 75 78 2E 53 65 72 76 65 72 }\r\ncondition:\r\n3 of them\r\n}\r\nRule 4 (Rust-based Samples) (Added Dec. 19, 2025)\r\nrule CISA_251217_03 : BRICKSTORM backdoor installs_other_components communicates_with_c2 exfiltrates_data\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"251217\"\r\ndate = \"2025-12-10\"\r\nlast_modified = \"20251216_729\"\r\nactor = \"n/a\"\r\nfamily = \"BRICKSTORM\"\r\ncapabilities = \"installs-other-components communicates-with-c2 exfiltrates-data\"\r\nmalware_type = \"backdoor\"\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 16 of 31\n\nRule 4 (Rust-based Samples) (Added Dec. 19, 2025)\r\ntool_type = \"unknown\"\r\ndescription = \"Detects Rust BRICKSTORM backdoor samples\"\r\nsha256_1 = \"6a67a9769a55ec889a5dd4199b2fc08965d39d737838836853bc13c81c56a800\"\r\nsha256_2 = \"ed907d39efd5750236b075ca9fbb1f090d7bf578578c38faab24210d298a60ae\" \r\nsha256_3 = \"0e92009fc6519c837982b3fbfd42946e827de47b73a264d693739168533d07f4\"\r\nsha256_4 = \"fb22eea57e00b83edad50ee6e02320377efc10586584c476d5018dbba3643c32\"\r\nsha256_5 = \"28a16e782f04d9394b5dfa3363d41d9f5eecc206166aeffd73363d83734a026d\"\r\nstrings:\r\n$s0 = { 20 55 70 67 72 61 64 65 3A 20 77 65 62 73 6F 63 6B 65 74 43 6F 6E 6E 65 63 74 69 6F 6E 3A }\r\n$s1 = { 20 55 70 67 72 61 64 65 53 65 63 2D 57 65 62 73 6F 63 6B 65 74 2D 4B 65 79 3A }\r\n$s2 = { 20 53 65 63 2D 57 65 62 53 6F 63 6B 65 74 2D 56 65 72 73 69 6F 6E 3A }\r\n$s3 = { 57 65 62 53 6F 63 6B 65 74 53 65 63 2D 57 65 62 53 6F 63 6B 65 74 2D 41 63 63 65 70 74 3A }\r\n$s4 = { 53 77 69 74 63 68 69 6E 67 20 50 72 6F 74 6F 63 6F 6C 73 }\r\n$s5 = { 32 35 38 45 41 46 41 35 2D 45 39 31 34 2D 34 37 44 41 2D 39 35 43 41 2D 43 35 41 42 30 44 43 38\r\n35 42 31 31 }\r\n$s6 = { 2F 64 65 76 2F 70 74 6D 78 64 6F 20 66 6F 72 6B 6F 70 65 6E 20 }\r\n$s7 = { 53 6F 63 6B 73 35 20 63 6D 64 20 6E 6F 74 20 73 75 70 70 6F 72 74 }\r\n$s8 = { 62 39 32 37 35 38 61 39 61 65 66 31 63 65 66 37 62 37 39 65 32 62 37 32 63 33 64 38 62 61 31 31 33 65 35 34\r\n37 66 38 39 }\r\n$s9 = { 58 34 34 38 52 69 6E 67 47 45 54 20 0D 0A 0D 0A 70 69 70 65 50 69 6E 67 50 6F 6E 67 44 61 74 61 }\r\ncondition:\r\n9 of them\r\n}\r\nRule 5 (Added Jan. 20, 2026)\r\nrule CISA_251155_03 : BRICKSTORM backdoor installs_other_components communicates_with_c2 exfiltrates_data\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"251155\"\r\ndate = \"2025-09-15\"\r\nlast_modified = \"20250916_1511\"\r\nactor = \"n/a\"\r\nfamily = \"BRICKSTORM\"\r\ncapabilities = \"installs-other-components communicates-with-c2 exfiltrates-data\"\r\nmalware_type = \"backdoor\"\r\ntool_type = \"unknown\"\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 17 of 31\n\nRule 5 (Added Jan. 20, 2026)\r\ndescription = \"Detects Go-Based BRICKSTORM backdoor samples\"\r\nsha256_1 = \"0cba5c6d16c7b94a450c36bfbaeab79107ac10aa9548b02c42b4b6ba8cef6a51\"\r\nstrings:\r\n$s0 = { CE 73 63 44 0F B6 04 30 44 31 C7 48 83 FE 19 72 DA EB 53 48 C7 04 24 }\r\n$s1 = { 64 48 8B 0C 25 F8 FF FF FF 48 8D 44 24 E8 48 3B }\r\n$s2 = { 8D 44 24 5F 48 89 04 24 48 8D 05 F9 4C 12 00 48 }\r\n$s3 = { 8B 4C 24 20 48 89 4C 24 30 48 8D 54 24 58 48 89 }\r\n$s4 = { 8B 44 24 20 48 89 44 24 30 48 8B 4C 24 18 48 89 }\r\n$s5 = { E8 8E 6A D5 FF 48 8B 44 24 18 48 89 84 24 98 }\r\n$s6 = { E8 A4 69 D5 FF 48 8B 44 24 20 48 8B 4C 24 28 48 89 84 24 B0 }\r\n$s7 = { 48 8D 44 24 3F 48 89 44 24 08 48 C7 44 24 10 19 }\r\ncondition:\r\nall of them\r\n}\r\nRule 6 (Added Jan. 20, 2026)\r\nrule CISA_251186_02 : BRICKSTORM backdoor installs_other_components communicates_with_c2 exfiltrates_data\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"251186\"\r\ndate = \"2025-11-17\"\r\nlast_modified = \"n/a\"\r\nactor = \"n/a\"\r\nfamily = \"BRICKSTORM\"\r\ncapabilities = \"installs-other-components communicates-with-c2 exfiltrates-data\"\r\nmalware_type = \"backdoor\"\r\ntool_type = \"unknown\"\r\ndescription = \"Detects Go-Based BRICKSTORM backdoor samples\"\r\nsha256_1 = \"57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d\"\r\nstrings:\r\n$s0 = { 31 F7 40 88 7C 04 4C 48 FF C0 }\r\n$s1 = { 44 01 C7 40 88 7C 14 30 48 FF C2 0F 1F 00 }\r\n$s2 = { 41 89 F0 31 FE 01 D6 66 90 49 83 F8 11 }\r\n$s3 = { 48 8B 44 24 08 48 8B 5C 24 10 48 8B 4C 24 18 }\r\n$s4 = { 48 89 C1 48 89 DF 48 8D 05 0F 6F 15 00}\r\n$s5 = { 48 8D 3D 9A 6D 15 00 4D 89 C1 49 89 F0 }\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 18 of 31\n\nRule 6 (Added Jan. 20, 2026)\r\n$s6 = { 81 39 49 43 4D 50 74 0C }\r\n$s7 = { E8 FB E6 FF FF E8 76 D0 FF FF E8 91 C0 FF FF 48 8B 05 EA BF 53 }\r\ncondition:\r\nall of them\r\n}\r\nRule 7 (Added Feb. 11, 2026)\r\nrule CISA_261234_01 : BRICKSTORM backdoor installs_other_components communicates_with_c2 exfiltrates_data\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"261234\"\r\ndate = \"2026-02-03\"\r\nlast_modified = \"20260203_1426\"\r\nactor = \"n/a\"\r\nfamily = \"BRICKSTORM\"\r\ncapabilities = \"installs-other-components communicates-with-c2 exfiltrates-data\"\r\nmalware_type = \"backdoor\"\r\ntool_type = \"unknown\"\r\ndescription = \"Detects AOT BRICKSTORM backdoor samples\"\r\nsha256_1 = \"24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c\"\r\nstrings:\r\n$s0 = { 2F 00 75 00 73 00 72 00 2F 00 73 00 62 00 69 00 6E 00 2F 00 73 00 71 00 69 00 75 00 64 }\r\n$s1 = { 2F 00 62 00 69 00 6E 00 2F 00 62 00 61 00 73 00 68 }\r\n$s2 = { 2F 00 63 00 6D 00 64 00 6C 00 69 00 6E 00 65 }\r\n$s3 = { 2F 00 64 00 65 00 76 00 2F 00 6E 00 75 00 6C }\r\n$s4 = { 2F 00 65 00 74 00 63 00 2F 00 73 00 61 00 6D 00 62 00 61 00 2F 00 73 00 6D 00 62 }\r\n$s5 = { 2F 00 70 00 72 00 6F 00 63 00 2F 00 6E 00 65 00 74 00 2F 00 72 00 6F 00 75 00 74 }\r\n$s6 = { 44 6F 74 4E 65 74 52 75 6E 74 69 6D 65 44 65 62 75 67 48 65 61 64 65 72 }\r\n$s7 = { 32 35 38 45 41 46 41 35 2D 45 39 31 34 2D 34 37 44 41 2D 39 35 43 41 2D 43 35 41 42 30 44 43 38 35 42 31\r\n31 }\r\n$s8 = { 63 66 73 65 74 6F 73 70 65 65 64 00 63 68 64 69 72 00 63 6C 6F 73 65 00 64 75 70 32 }\r\n$s9 = { 65 78 65 63 76 00 65 78 65 63 76 70 00 66 6F 72 6B 00 66 6F 72 6B 70 74 79 00 6B 69 6C 6C }\r\n$s10 = { 32 31 35 31 30 31 32 31 33 62 35 63 34 35 34 38 61 62 36 63 63 65 38 31 38 35 34 61 31 33 65 65 }\r\ncondition:\r\n9 of them\r\n}\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 19 of 31\n\nSigma Rule\r\nDeploy the CISA-created Sigma rule in Table 13 to detect BRICKSTORM.\r\nNote: This rule can be run in an entity’s security information and event management (SIEM) system, but it will only be\r\nuseful if the SIEM contains the vCenter logs. Additionally, this detection method will not work if run on endpoint detection\r\nand response (EDR) logs.\r\nTable 13. Sigma Rule\r\nBRICKSTORM\r\n                                                    ## CISA Code \u0026 Media Analysis ##\r\n                            ############ README ###############\r\n## Edit rules and queries as needed for your hunt and based on your environment.\r\n## Ensure your EDR/SIEM instance has enough memory to run these AND/OR condition based queries. May take\r\nlonger to run than conventional Sigma rule query. \r\n## Do not edit \"logsource-product:\" unless you are editing this rule to meet specific logsources/fields and know your\r\nenvironment.\r\n## TLP GREEN + Please use local installation of Sigma to convert this rule.\r\n## TLP CLEAR may convert rules using online converter of choice.\r\n                           ###################################\r\ntitle: BRICKSTORM Backdoor Activity r2\r\nincident: 251157.r2\r\ntlp: CLEAR\r\nid: 329bec83-54bd-405f-a5ab-ba97ec5e6057\r\nstatus: test\r\ndescription: BRICKSTORM malware is a backdoor with multiple capabilities that threat actors use to set up persistence\r\non exploited systems.\r\nreferences:\r\n    - https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign\r\n    - https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement\r\n    - https://ctid.mitre.org/blog/2024/05/22/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion/\r\n    - https://cybersecuritynews.com/new-brickstorm-stealthy-backdoor/\r\nauthor: CISA Code \u0026 Media Analysis\r\ndate: 2025-09-29\r\nmodified: 2025-09-29\r\ntags: \r\n    - attack.brickstorm\r\n    - attack.unc5221\r\nlogsource:\r\n    product: cma\r\ndetection:\r\n    keywords_1:\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 20 of 31\n\nBRICKSTORM\r\n        - 'vCenter'\r\n    keywords_2:\r\n        - 'inventory object'\r\n        - 'object'\r\n    keywords_3:\r\n        - 'clone'\r\n        - 'destroy'\r\n    keywords_4:\r\n        - 'GET'\r\n        - 'POST'\r\n        - 'PUT'\r\n    keywords_5:\r\n        - 'HTTP/1.1'\r\n    keywords_6:\r\n        - '200'\r\n    keywords_7:\r\n        - '/rest/com/vmware/cis/session'\r\n        - '/rest/appliance/access/ssh'\r\n    keywords_8:\r\n        - 'User Agent'\r\n    keywords_9:\r\n        - 'sed -i'\r\n    keywords_10:\r\n        - 'export'\r\n        - 'echo'\r\n    keywords_11:\r\n        - 'vami-lighttp'\r\n        - '/etc/sysconfig/init'\r\n    keywords_12:\r\n        - 'Administrator'\r\n    keywords_13:\r\n        - 'Creating local person user'\r\n        - 'Adding users'\r\n        - 'Updating local group'\r\n        - 'Removing principals'\r\n        - 'Deleting principal'\r\n    keywords_14:\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 21 of 31\n\nBRICKSTORM\r\n        - 'PrincipalManagement'\r\n    keywords_15:\r\n        - 'sshd'\r\n    keywords_16:\r\n        - 'Postponed keyboard-interactive/pam'\r\n    keywords_17:\r\n        - '/bin/vmx'\r\n    keywords_18:\r\n        - '-x'\r\n    keywords_19:\r\n        - '/vmfs/volumes.vmx' \r\n    keywords_20:\r\n        - '2\u003e/dev/null' \r\n    keywords_21:\r\n        - '0\u003e/dev/null'\r\n    keywords_22:\r\n        - '$parts ='\r\n    keywords_23:\r\n        - 'Get-Item -Path' \r\n    keywords_24:\r\n        - '\"C:\\Windows\\System32\\drivers\\etc\\hosts\":frag*'\r\n    keywords_25:\r\n        - '$loader ='\r\n    keywords_26:\r\n        - '[IO.File]::ReadAllText'\r\n    keywords_27:\r\n        - 'Invoke-Expression $loader'\r\n    keywords_28:\r\n        - 'cp'\r\n        - 'delete'\r\n    keywords_29:\r\n        - 'home/vsphere-ui/vcli'\r\n        - '/opt/vmware/sbin'\r\n    keywords_30:\r\n        - 'vami-httpd'\r\n    keywords_31:\r\n        - 'testComputer$'\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 22 of 31\n\nBRICKSTORM\r\n    keywords_32:\r\n        - 'ldap-ivanti'\r\n    keywords_33:\r\n        - 'https://9.9.9.9/dns-query'\r\n        - 'https://45.90.28.160/dns-query'\r\n        - 'https://45.90.30.160/dns-query'\r\n        - 'https://149.112.112.112/dns-query'\r\n        - 'https://9.9.9.11/dns-query'\r\n        - 'https://1.1.1.1/dns-query'\r\n        - 'https://1.0.0.1/dns-query'\r\n        - 'https://8.8.8.8/dns-query'\r\n        - 'https://8.8.4.4/dns-query'\r\n        - '/home/bin/netmon'\r\n        - '/home/bin/logd'\r\n        - '/home/runtime/logd'\r\n        - '/home/config/logd.spec.cfg'\r\n        - '/api/file/change-dir'\r\n        - '/api/file/delete-dir'\r\n        - '/api/file/delete-file'\r\n        - '/api/file/mkdir'\r\n        - '/api/file/list-dir'\r\n        - '/api/file/rename'\r\n        - '/api/file/put-file'\r\n        - '/api/file/get-file'\r\n        - '/api/file/slice-up'\r\n        - '/api/file/file-md5'\r\n        - '/api/file/up'\r\n        - '/api/file/stat'       \r\n    condition: keywords_1 and keywords_2 and keywords_3 or keywords_4 and keywords_5 and keywords_6 and\r\nkeywords_7 and keywords_8 or keywords_9 and keywords_10 and keywords_11 or keywords_12 and keywords_13 and\r\nkeywords_14 or keywords_15 and keywords_16 or keywords_17 and keywords_18 and keywords_19 and keywords_20\r\nand keywords_21 or keywords_22 and keywords_23 and keywords_24 and keywords_25 and keywords_26 and\r\nkeywords_27 or keywords_28 and keywords_29 and keywords_30 or keywords_31 and keywords_32 or keywords_33\r\nfalsepositives:\r\n    - Rate of FP low-moderate with some strings.\r\n    - Use this rule in an infected environment/logs.\r\n    - Analyst may need to make adjustments to the query as required.\r\nlevel: high\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 23 of 31\n\nAdditional Detection Resources\r\nSee the following resources for detecting BRICKSTORM.\r\nGoogle Mandiant’s tactics, techniques, and procedures (TTPs)-based hunt guidance and YARA detections rules\r\nprovided in Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors .\r\nGoogle Mandiant’s BRICKSTORM Espionage Campaign YARA Rules , available at Github.\r\nGoogle Mandiant’s BRICKSTORM Scanner: BRICKSTORM Indicator of Compromise Scanner .\r\nUse the script by first mounting an image followed by the scan.\r\nTo mount the image:\r\nsudo mkdir -p /mnt/image\r\nsudo mount -o ro,loop image.001 /mnt/image\r\nTo unmount the image:\r\nsudo umount /mnt/image\r\nThe script can also be used by mounting a remote server to your local VM to scan its file system:\r\nsudo apt update\r\nsudo apt install -y sshfs\r\nsudo mkdir -p /mnt/remote-server\r\nsudo chown $(whoami):$(whoami) /mnt/remote-server\r\nsudo sed -i 's/^# *user_allow_other/user_allow_other/' /etc/fuse.conf || echo 'user_allow_other' | sudo tee -a\r\n/etc/fuse.conf\r\nsudo sshfs root@IPAddress:/ /mnt/remote-server\r\nsudo ls -la /mnt/remote-server\r\nsudo yara yara.rule -r /mnt/remote-server\r\nsudo umount -l /mnt/remote-server\r\nls -la /mnt/remote-server\r\nNVISO’s analysis of Windows-based variants with IOCs and detection rules contains YARA and other detection and\r\nhunting rules. See NVISO Incident Response BRICKSTORM Backdoor Analysis .\r\nCrowdStrike’s VirtualGHOST PowerShell Script: CrowdStrike / VirtualGHOST\r\nThis script can be used to identify unregistered VMware VMs.\r\nTo run in the script PowerShell or pwsh, complete the following steps:\r\n1. Set-ExecutionPolicy RemoteSigned\r\n2. Install-Module -Name VMware.PowerCLI -Scope CurrentUser\r\n3. Import-Module VMware.PowerCLI\r\n4. Get-Module -ListAvailable VMware.PowerCLI\r\nTo run the script in Windows, use .\\Detect-VirtualGHOST.ps1 .\r\nTo run in the script in Linux, use sudo apt install -y powershell .\r\nFor vCenter servers, use username@domain.local instead of root . For ESXi Servers, you may use root username.\r\nCrowdStrike’s TTPs, IOCs, and Falcon LogScale Query provided in Unveiling WARP PANDA: A New Sophisticated\r\nChina-Nexus Adversary .\r\nIncident Response\r\nU.S. organizations: If BRICKSTORM, similar malware, or potentially related activity is detected, CISA and NSA urge\r\norganizations to report the activity as required by law and applicable policies. To enable CISA to provide tailored incident\r\nresponse assistance and build a comprehensive picture of this activity, CISA and NSA urge organizations to:\r\n1. Immediately report the findings via CISA’s 24/7 Operations Center (contact@cisa.dhs.gov ), 1-844-Say-CISA (1-\r\n844-729-2472), or CISA’s Incident Reporting System. Please identify the activity is related to BRICKSTORM, and\r\nCISA will reach out with next steps.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 24 of 31\n\n2. Use CISA’s Malware Analysis Submission Form to submit a file containing the malicious code. Include the CISA-provided Incident ID number (obtained from reporting the compromise) in the Open Incident ID field.\r\nCanadian organizations: Report incidents by emailing Cyber Centre at contact@cyber.gc.ca or online via the reporting\r\ntool Report a Cyber Incident - Canadian Centre for Cyber Security .\r\nMitigations\r\nCISA, NSA, and Cyber Centre recommend organizations implement the mitigations below to improve organization\r\ncybersecurity posture based on the cyber actors’ activity. These mitigations align with the Cross-Sector Cybersecurity\r\nPerformance Goals 2.0 (CPG 2.0) developed by CISA and the National Institute of Standards and Technology (NIST). The\r\nCPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement.\r\nCISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common\r\nand impactful threats, tactics, techniques, and procedures. Visit CISA’s CPG 2.0 webpage for more information on the\r\nCPGs, including additional recommended baseline protections.\r\nUpgrade VMware vSphere servers to the latest version [CPG 2.B].\r\nHarden your VMware vSphere environments by applying VMware’s guidance available at Github. For\r\nadditional guidance on logging [CPG 3.Q] and hardening, see From Help Desk to Hypervisor: Defending Your\r\nVMware vSphere Estate from UNC3944 .\r\nTake inventory of all network edge devices [CPG 2.A] and monitor for any suspicious network connectivity\r\noriginating from these devices.\r\nEnsure proper network segmentation restricts network traffic from the DMZ to the internal network [CPG\r\n3.I].\r\nDisable RDP and SMB from the DMZ to the internal network.\r\nApply the principle of least privilege and restrict service accounts to only needed permissions.\r\nIncrease monitoring for service accounts, which are highly privileged and have a predictable pattern of behavior\r\n(e.g., scans that reliably run at a certain hour of the day).\r\nBlock unauthorized DoH providers and external DoH network traffic to reduce unmonitored communications.\r\nDisclaimer\r\nCISA, NSA, and Cyber Centre do not endorse any commercial entity, product, company, or service, including any entities,\r\nproducts, companies, or services linked within this document. Any reference to specific commercial entities, products,\r\nprocesses, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement,\r\nrecommendation, or favoring by CISA, NSA, or Cyber Centre.\r\nAcknowledgements\r\nVMware contributed to this advisory.\r\nVersion History\r\nDecember 4, 2025: Initial version.\r\nDecember 5, 2025: Updated Additional Detection Resources.\r\nDecember 19, 2025: See Appendix C: Dec. 19, 2025, Updates.\r\nJanuary 20, 2026: Added YARA rules to Detection.\r\nFebruary 11, 2026: Updated based on analysis of a new variant. See Appendix D: Feb. 11, 2026, Updates.\r\nAppendix A: MITRE ATT\u0026CK Techniques\r\nSee Table 14 through Table 20 for all referenced threat actor tactics and techniques in this advisory. For assistance with\r\nmapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s Best Practices for\r\nMITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nTable 14. Persistence\r\nTechnique Title ID Use\r\nBoot or Logon Initialization\r\nScripts\r\nT1037\r\nThe cyber actors modify the init file to execute\r\nBRICKSTORM.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 25 of 31\n\nTechnique Title ID Use\r\nHijack Execution Flow: Path\r\nInterception by PATH\r\nEnvironment Variable\r\nT1574.007\r\nBRICKSTORM modifies the PATH environment variable so that\r\nthe copied version of the BRICKSTORM will execute if\r\ncommands or process reference it.\r\nServer Software Component: Web\r\nShell\r\nT1505.003 The cyber actors accessed a web server inside a victim\r\norganization’s DMZ using a web shell.\r\nTable 15. Privilege Escalation\r\nTechnique Title ID Use\r\nAbuse Elevation Control Mechanism: Sudo and\r\nSudo Caching\r\nT1548.003 The cyber actors elevated privileges using the\r\nsudo command.\r\nTable 16. Defense Evasion\r\nTechnique\r\nTitle\r\nID Use\r\nMasquerading\r\nT1036 Some BRICKSTORM samples mimic legitimate names. For example, Sample 1, which\r\nwas obtained from a VMware vSphere platform, is named vmsrc or vmware-sphere .\r\nValid Accounts\r\nT1078\r\nThe cyber actors moved laterally using RDP with valid service account credentials.\r\nTable 17. Discovery\r\nTechnique Title ID Use\r\nFile and Directory Discovery T1083 BRICKSTORM can list directory contents on the compromised system.\r\nTable 18. Credential Access\r\nTechnique Title ID Use\r\nOS Credential Dumping: NTDS T1003.003 The cyber actors copied ntds.dit .\r\nTable 19. Command and Control\r\nTechnique Title ID Use\r\nApplication Layer\r\nProtocol: Web Protocols\r\nT1071.001 BRICKSTORM uses DoH to resolve the address of its C2 servers by\r\nsending an encrypted HTTPS request.\r\nIngress Tool Transfer T1105\r\nThe cyber actors dropped BRICKSTORM malware in the VMware\r\nvSphere server’s /etc/sysconfig/ directory.\r\nBRICKSTORM can download files from the cyber actors’ C2 server to\r\nthe compromised system.\r\nProxy: Internal Proxy\r\nT1090.001 BRICKSTORM sets up a SOCKS proxy that routes C2 traffic and allows\r\ncyber actors to move laterally throughout the victim network.\r\nTable 20. Exfiltration\r\nTechnique Title ID Use\r\nExfiltration Over C2\r\nChannel\r\nT1041 BRICKSTORM can upload files from the victim system to the cyber actors’\r\nC2 server.\r\nAppendix B: Scanning Guidance on Remote Hosts\r\nThe following tools are designed to support the identification of potentially malicious artifacts and activities but should not\r\nbe used as standalone detection mechanisms.\r\nRemote YARA Scan Using Nessus\r\n1. Log into Nessus and go to “My Account.”\r\n2. Press “About” tab on the left side.\r\n3. Go to Software Update tab and manually update all components.\r\n4. After the update is done, select “Scans” at the top and press the “New Scan” button.\r\n5. Select “Advanced Scan.”\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 26 of 31\n\n6. Give a name and description to your scan.\r\n7. In the “Targets” section, input the IP address of the remote server you want to scan.\r\n8. On the left pane under Settings select “Assessment” then “Malware.”\r\n9. Toggle “Scan for malware” on.\r\n10. Scroll down to “Yara Rules” and add your Yara rules file.\r\n11. Select the filesystem and drives to scan.\r\n12. Go back to the top and press “Credentials” tab.\r\n13. Select SSH or Windows and input the credential of the server.\r\n14. Nessus needs credentials to be able to do a Yara scan on the filesystem of the remote server.\r\n15. In the “Plugins” tab, make sure to “Enable All.”\r\n16. Launch the scan.\r\nRemote YARA Scan without Nessus\r\n1. Mount Remote Sever to Kali to Scan the Filesystem\r\n1. sudo apt update\r\n2. sudo apt install -y sshfs\r\n3. sudo mkdir -p /mnt/remote-server\r\n4. sudo chown $(whoami):$(whoami) /mnt/remote-server\r\n5. sudo sed -i 's/^# *user_allow_other/user_allow_other/' /etc/fuse.conf || echo 'user_allow_other' | sudo tee -a\r\n/etc/fuse.conf\r\n6. sudo sshfs root@IPAddress:/ /mnt/remote-server\r\n7. sudo ls -la /mnt/remote-server\r\n8. sudo yara yara.rule -r /mnt/remote-server\r\n9. sudo umount -l /mnt/remote-server\r\n10. ls -la /mnt/remote-server\r\nFor more information see Tenable’s Threat Hunting with YARA and Nessus .\r\nAppendix C: Dec. 19, 2025, Updates\r\nCISA analyzed three additional BRICKSTORM samples (Samples 9 through 11) obtained from a trusted third party.\r\nMalware Metadata\r\nSee Table 21 through Table 23 for metadata of the analyzed malware.\r\nTable 21. BRICKSTORM Sample 9\r\nFile\r\nName\r\nbkup\r\nSize 7991296 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMD5 34d6af5ae2ab7a08fa474358a0b95539\r\nSHA1 38f6baad1dff7466a07eb456808cc8aa46a3e50c\r\nSHA256 77b49c854afd6746fee393711b48979376fb910b34105c0e18a3fdc24ea31d5c\r\nSHA512 7d263a40e32e0026e72d871a3c369e5977f4474137aaa7315a4207e2d696d877bd9b1cff2758975c1f6613c2c205e0f277b6503977a945721\r\nssdeep 98304:QZT3l9IBXSy3dDrwOoJzwGJ/NvfI8xUs/ix:QZT3TIBXSy3dDrwdJzwGJKd\r\nEntropy 5.964361\r\nTable 22. BRICKSTORM Sample 10\r\nSize 1497344 bytes\r\nType ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, stripped\r\nMD5 d1f608cfb395d9274aa52b6a524d9fb5\r\nSHA1 7cec4d74931d925996b03a75da0d79e95f47ed86\r\nSHA256 6a67a9769a55ec889a5dd4199b2fc08965d39d737838836853bc13c81c56a800\r\nSHA512 f060e3f7bc55d24f9a926988b395af2c14117fcb289c231546dd7022d2d32470f02e98fb4951bf11766604e03efa528b423916a4cdcb389426\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 27 of 31\n\nssdeep 24576:GP7SvQdtJ7joXrsiESFqRDpsq+FMcVIH06iyIcJ2:oSvQPJ7jo4fSFK1sqIhIU6iZ\r\nEntropy 6.712734\r\nTable 23. BRICKSTORM Sample 11\r\nSize 1497344 bytes\r\nType ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, stripped\r\nMD5 6c20a810134025a9f05cf312d4b34967\r\nSHA1 fa664bb3369d4a48db88f4e8d7364f7582f64313\r\nSHA256 ed907d39efd5750236b075ca9fbb1f090d7bf578578c38faab24210d298a60ae\r\nSHA512 feb8fe45092f2d42656bbf49450f242826598aa816307d11a5c8caec5647884ea245c8a099aee7a1a51f37f5273f6797055326768e48131d06\r\nssdeep 24576:AWMJ9lwXBLYX8PuMCdr1QnJh0uwhFMcVIH06iybJc:nMJ9lkBLYX8eQnX0uw7hIU6ih\r\nEntropy 6.713806\r\nMalware Functionality\r\nSample 9\r\nLike Sample 1, Sample 9:\r\nInitiates the  main_startNew function to configure environment variables specific to the compromised environment.\r\nSample 9 checks for the  WRITE_LOG variable.\r\nIf this variable is not set, Sample 9 checks if it is running from  /etc/sysconfig .\r\nIf Sample 9 is running from the validated path, it copies itself to  /usr/java/jre-vmware/bin/ with file\r\nname  bkmgr .\r\nSee Initiation Capabilities for more information.\r\nUses the  main_selfWatcher function to maintain persistence.\r\nThe self-watching function checks for the  WORKER environment variable and confirms it is running as an\r\nactive process.\r\nIf it is not running, it reinstalls itself to  /usr/java/jre-vmware/bin/ with file name  bkmgr .\r\nSee Persistence Capabilities for more information.\r\nCreates an encrypted DNS query for hard-coded C2 domains (redacted) and uses DoH to resolve the addresses of the\r\nactors’ C2 servers.\r\nEstablishes WSS connections with the C2 server and sets up a multiplexing layer.\r\nManages incoming network connections.\r\nSample 9 processes commands through one of three handlers: SOCKS Handler, Web Service Handler, and\r\nCommand Handler.\r\nContains file management commands.\r\nSee Table 24 for Sample 9 file management commands.\r\nTable 24. BRICKSTORM Sample 9 File Management Commands\r\nCommand Function\r\nup Uploads a file using a web form (includes SHA256 hashing).\r\ndelete-dir Deletes a specified directory.\r\nstat Collects file information (size, permissions, ownership, and timestamps [creation, modification, access]).\r\nchange-dir Changes the current working directory on the compromised system.\r\nmkdir Creates a new directory with a specified name in the current or specified location.\r\nrename Changes the name of a file or directory.\r\nfile-md5 Calculates the MD5 checksum of a specified file to verify file integrity.\r\nget-file Downloads a file from the compromised system to the C2 server.\r\nlist-dir Lists the contents of a directory on the compromised system (e.g., browses the file system).\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 28 of 31\n\nCommand Function\r\nput-file Uploads a file from the C2 server to the compromised system.\r\nslice-up Reads and downloads specific, partial sections of a file.\r\nSamples 10 and 11\r\nSamples 10 and 11 are Rust-based. Like the Go-based samples, these samples provide capabilities for persistence and secure\r\nC2.\r\nPersistence\r\nFor persistence, these samples stay hidden by running as background services. Upon execution, they check if an instance of\r\nBRICKSTORM (namedvsm-boot-monitordvcenter [Sample 10] or  vsm-monitordvcenter [Sample 11]) is installed\r\nin  /usr/sbin/ on the compromised system. If it is, they delete the instance. \r\nThe samples then copy themselves temporarily to  /usr/sbin/ with the file name  vsm-boot-monitordvcenter (Sample 10)\r\nor  vsm-monitordvcenter (Sample 11).\r\nThe parent instance then creates a new process that runs as a daemon (a service not connected to any user terminal). It\r\ndeletes the temporary copy of itself and ensures the new background process does not generate output or wait for input. \r\nSecure Command and Control\r\nLike Sample 1, these samples establish WSS connections with the C2 server and set up a multiplexing layer.\r\nDetection\r\nSee CISA-created YARA rules for samples 9 through 11 in the YARA Rules section. \r\nAppendix D: Feb. 11, 2026, Updates\r\nCISA analyzed one additional BRICKSTORM sample (Sample 12) obtained from a trusted third party. This sample is a\r\ndifferent variant than the other samples.\r\nMalware Metadata\r\nSee Table 25 for metadata of the analyzed malware.\r\nTable 25. BRICKSTORM Sample 12\r\nFile\r\nName\r\nsupport\r\nSize 8187704 bytes\r\nType\r\nELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,for GNU/Linux 2\r\nBuildID[sha1]=2fa1454c1373af774f45207ec249d53b4dae7f9a, stripped\r\nMD5 2654c08491a0f7c4a3dfc6282de5638b\r\nSHA1 4b8ab808442bf7cb084fddf983a558c2cd4b3ff2\r\nSHA256 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c\r\nSHA512 2b1c6f52c0bef4fdae2e2965a14b3c5ae61c7b9009822f6ec4b3d6495aeffcaae3bea0fc7ab52093c993cc207f037a35488dcdd7a653952013c\r\nssdeep 98304:C//zl7M481oQdM5JH5eeGU19DGEIZDtAv5Ew+QsrtaDcE:iQ231DtWDyY\r\nEntropy 6.812733\r\nMalware Functionality\r\nSample 12 is a new variant of BRICKSTORM created from a .NET application using native ahead-of-time (AOT)\r\ncompilation. Leveraging native AOT compilation enhances the variant’s versatility and evasion capabilities because the\r\ncompiled application is a standalone binary that does not require .NET runtime to run. All its dependencies (including\r\nruntime) are linked together, and it can run on all compatible systems, and the binary blends in better with legitimate\r\nsoftware than .NET executables.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 29 of 31\n\nLike the other BRICKSTORM samples, this variant has initiation and secure C2 capabilities. These capabilities use multiple\r\nlayers of encryption (e.g., HTTPS, WebSockets, nested TLS) to hide communications with the cyber actors’ C2 domain.\r\nHowever, unlike the other samples, this variant lacks built-in self-monitoring capabilities designed for persistence.\r\nInitiation Capabilities\r\nUpon execution, BRICKSTORM Sample 12 performs a series of environmental checks, including loading system libraries,\r\nconfiguring memory safety, and managing threads and signals.\r\nThen, it checks and configures environment variables specific to the compromised environment. Unlike the other samples\r\nthat this MAR analyzes, Sample 12 does not copy itself. Instead, it spawns a new child process that runs in the background,\r\nmaking it harder to detect. Sample 12:\r\n1. Checks  DAEMONIZED environment variable to determine if it is running as a child process (to identify if it is running\r\nin its intended state).\r\n1. If DAEMONIZED is set, indicating that Sample 12 is already running as a child process (its intended state), it\r\ncontinues its execution.\r\n2. If  DAEMONIZED is not set (indicating it is not running as a child process), Sample 12:\r\n1. Verifies its current execution path,\r\n2. Creates a new background session,\r\n3. Spawns a child process to continue its execution while the initial parent process terminates, and\r\n4. Changes the new child process name to  /usr/sbin/sqiud and re-executes itself under the newly\r\nnamed  sqiud .\r\n1. sqiud is hard-coded and is a deliberate typo of the legitimate “squid” proxy service.\r\n3. Sample 12 then attempts to open  /dev/null and redirects the new child processes’ standard input, output,\r\nand error streams to prevent it from generating terminal output or waiting for input.\r\nSecure Command and Control\r\nSample 12 establishes secure communications with a C2 domain, leveraging a multiplexing layer to obfuscate traffic.\r\nSample 12 first connects to a hard-coded IP address 149[.]248[.]11[.]71 on port 443 to blend in with normal web\r\ntraffic. CISA observed the threat actors re-using this IP address. Note: This is the first time in this campaign that CISA\r\nobserved the threat actor reusing infrastructure. \r\nSample 12 then establishes an encrypted connection to the IP address using HTTPS and upgrades the connection to\r\nWebSockets with an additional layer of TLS encryption. The WebSockets address is encrypted with Advanced Encryption\r\nStandard (AES), and the sample decrypts it with OpenSSL's cryptographic library (libcrypto) and a hard-coded key.\r\nTo upgrade to WebSockets with added TLS encryption, Sample 12 first sends an HTTP upgrade request to convert the initial\r\nencrypted HTTPS connection into a persistent WebSocket connection via the endpoint /rest/apisession . Then, Sample\r\n12 nests additional layers of TLS encryption within the WebSocket session and performs a series of nested TLS handshakes\r\nwithin the established WebSocket tunnel. The first handshake is the standard TLS handshake for the initial HTTPS request\r\nto the cloud platform. The second TLS handshake occurs within the WebSocket tunnel, during which Sample 12\r\nauthenticates itself to the IP address using a hard-coded key.\r\nUpon successful authentication, Sample 12 establishes a multiplexing layer by using the .NET Nerdbank.Streams library’s\r\nMultiplexingStream class to manage multiple independent channels or sub-streams within the inner encrypted connection.\r\nOnce a secure connection is established, Sample 12 can receive commands for various tasks, including arbitrary command\r\nexecution (interactive pseudo-terminal [PTY] sessions and simple command execution), file operations, and proxy relaying\r\n(SOCKS4/5 and HTTP/HTTPS proxies).\r\nDetection\r\nSee CISA-created YARA rules for Sample 12 in the YARA Rules section. \r\nNotes\r\n1\r\n Matt Lin et al., “Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies,”\r\nGoogle Cloud Blog, April 4, 2024, https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement .\r\n2Matt Lin et al., “Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies.”\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 30 of 31\n\n3\r\n Maxime, “NVISO analyzes BRICKSTORM espionage backdoor,” NVISO, April 15, 2025,\r\nhttps://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor .\r\n4\r\n Sarah Yoder et al., “Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors,”\r\nGoogle Cloud Blog, September 24, 2025, https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign .\r\nSource: https://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-338a\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar25-338a" ], "report_names": [ "ar25-338a" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "f87ef0bf-0574-492f-aebc-63e5953938e2", "created_at": "2024-11-23T02:00:04.116692Z", "updated_at": "2026-04-10T02:00:03.779803Z", "deleted_at": null, "main_name": "Gorilla", "aliases": [], "source_name": "MISPGALAXY:Gorilla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "26c07e6d-5095-4d13-95d1-debe836e19ab", "created_at": "2026-01-22T02:00:03.669144Z", "updated_at": "2026-04-10T02:00:03.921163Z", "deleted_at": null, "main_name": "WARP PANDA", "aliases": [], "source_name": "MISPGALAXY:WARP PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434791, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/173af10e6832559c4e2d9cb6b7c5258a4d342369.pdf", "text": "https://archive.orkl.eu/173af10e6832559c4e2d9cb6b7c5258a4d342369.txt", "img": "https://archive.orkl.eu/173af10e6832559c4e2d9cb6b7c5258a4d342369.jpg" } }