How BrickStorm Malware Infiltrates VMware Servers and Evades Detection

How BrickStorm Malware Infiltrates VMware Servers and Evades Detection

Alex Cipher's Profile Pictire Alex Cipher 7 min read

A single overlooked patch or misconfigured server can open the door to a sophisticated cyberattack—just ask the organizations targeted by the Chinese “BrickStorm” malware. In a series of incidents stretching from April 2024 through September 2025, attackers leveraged BrickStorm to infiltrate VMware vSphere environments, exploiting everything from exposed DMZ web servers to weak authentication protocols. What sets BrickStorm apart isn’t just its entry tactics, but its ability to create hidden virtual machines, self-heal if disrupted, and blend malicious traffic with legitimate network activity using advanced encryption and DNS-over-HTTPS. These features have allowed attackers to remain undetected for months, exfiltrating sensitive credentials, cryptographic keys, and even entire virtual machine snapshots. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm, urging organizations to adopt advanced detection and segmentation strategies to counter this evolving threat (BleepingComputer, 2025).

How BrickStorm Malware Sneaks into VMware Servers and What Makes It So Dangerous

Initial Intrusion Vectors Exploited by BrickStorm

BrickStorm’s infiltration into VMware vSphere environments is characterized by a multi-stage attack chain leveraging both external and internal vulnerabilities. Attackers have been observed initially breaching organizational perimeters by compromising publicly accessible web servers, particularly those located in the demilitarized zone (DMZ) (BleepingComputer, 2025). In one documented incident, Chinese threat actors gained access to a DMZ web server in April 2024, which served as the launching point for lateral movement deeper into the network. This initial foothold is typically achieved through exploitation of unpatched vulnerabilities, weak authentication mechanisms, or exposed remote administration interfaces.

Once inside the DMZ, attackers pivot laterally to internal assets—most notably, VMware vCenter servers. These servers are highly attractive targets due to their central role in managing virtualized infrastructure. The attackers exploit misconfigurations, credential reuse, or vulnerabilities within vCenter to deploy the BrickStorm malware. By targeting vCenter, adversaries can interact directly with VMware ESXi hosts and manipulate virtual machines at scale.

Advanced Persistence Mechanisms and Stealth Tactics

BrickStorm distinguishes itself by employing sophisticated persistence and evasion strategies that enable long-term, covert access to compromised environments. One of its primary methods is the creation of rogue, hidden virtual machines on compromised vSphere servers (BleepingComputer, 2025). These unauthorized VMs are engineered to operate outside the visibility of standard administrative tools, making detection by defenders significantly more challenging.

To further entrench itself, BrickStorm incorporates a self-monitoring component. This feature automatically reinstalls or restarts the malware if its processes are interrupted or terminated, ensuring continuous operation. The malware also leverages multiple layers of encryption for command-and-control (C2) communications, including HTTPS, WebSockets, and nested TLS tunnels. This encrypted traffic blends with legitimate network activity, complicating efforts to identify malicious connections.

Additionally, BrickStorm utilizes DNS-over-HTTPS (DoH) to conceal C2 traffic within normal DNS queries, bypassing traditional network monitoring and filtering solutions. The use of a SOCKS proxy within the malware facilitates tunneling and lateral movement, enabling attackers to traverse segmented networks and access additional resources without raising alarms.

Credential Theft and Data Exfiltration Techniques

A critical aspect of BrickStorm’s danger lies in its ability to harvest sensitive credentials and exfiltrate valuable data. After establishing persistence, attackers leverage the malware to capture Active Directory database information and perform system backups, which are then exfiltrated to attacker-controlled infrastructure (BleepingComputer, 2025). This enables the theft of legitimate credentials, cryptographic keys, and other sensitive information critical for further exploitation.

In one incident, adversaries compromised two domain controllers and exported cryptographic keys after gaining access to an Active Directory Federation Services (ADFS) server. By stealing these keys and credentials, attackers can impersonate legitimate users, escalate privileges, and maintain undetected access across the environment for extended periods—sometimes for over a year, as observed from April 2024 through September 2025.

The theft of virtual machine snapshots is another hallmark of BrickStorm’s operation. By exfiltrating snapshots, attackers gain offline access to entire virtualized systems, including memory, disk, and configuration data. This enables comprehensive credential harvesting and post-exploitation activities without needing continuous access to the compromised environment.

Lateral Movement and Network Propagation

BrickStorm’s architecture is explicitly designed to facilitate lateral movement within complex enterprise networks. After the initial compromise, the malware’s embedded SOCKS proxy is activated, allowing attackers to tunnel malicious traffic through compromised hosts. This capability enables the seamless movement from the DMZ to internal servers, including critical infrastructure such as domain controllers and management consoles (BleepingComputer, 2025).

The malware’s use of encrypted communication channels, including nested TLS and DoH, allows it to bypass network segmentation and monitoring controls. By masquerading as legitimate traffic, BrickStorm can propagate through segmented environments, reaching high-value targets that would otherwise be insulated from direct attack. This lateral movement is often accompanied by the deployment of additional malware implants—such as Junction and GuestConduit—tailored for VMware ESXi environments, further expanding the attackers’ foothold.

Notably, the attackers’ ability to compromise multiple layers of the network, from edge devices to core authentication infrastructure, demonstrates a high level of operational sophistication. This multi-pronged approach increases the likelihood of successful data theft and persistence, while complicating incident response and remediation efforts.

Evasion of Detection and Defensive Countermeasures

BrickStorm’s effectiveness is amplified by its robust evasion techniques, which are specifically engineered to defeat conventional security controls. The malware’s use of encrypted C2 channels, including HTTPS, WebSockets, and DoH, renders traffic analysis and signature-based detection largely ineffective. Traditional intrusion detection systems (IDS) and firewalls may fail to distinguish malicious BrickStorm activity from legitimate encrypted communications.

The deployment of hidden virtual machines and the self-healing capabilities of the malware further reduce the likelihood of detection. Even if defenders identify and remove some components, BrickStorm’s persistence mechanisms can automatically restore its presence. This resilience forces defenders to adopt more advanced detection strategies, such as behavioral analysis and memory forensics.

To counter these tactics, agencies such as CISA and NSA have developed and released YARA and Sigma rules specifically tailored to identify BrickStorm-related activity (BleepingComputer, 2025). Organizations are urged to scan for indicators of compromise (IOCs) and monitor for unauthorized DNS-over-HTTPS usage. Network segmentation, strict inventory controls over edge devices, and the restriction of DMZ-to-internal network traffic are also recommended to limit the malware’s ability to move laterally and maintain persistence.

Despite these recommendations, the advanced evasion and persistence features of BrickStorm pose significant challenges for even well-resourced security teams. The malware’s ability to remain undetected for months—sometimes over a year—demonstrates the urgent need for continuous monitoring, rapid patching of vulnerabilities, and the adoption of zero-trust principles within virtualized environments.


Note:

  • All information in this report is based on the latest available data as of December 4, 2025, and references the BleepingComputer report and associated advisories.
  • This content does not overlap with any existing subtopic reports or written content, as confirmed by the provided context.
  • No introduction or conclusion is included, as per instructions.

Final Thoughts

BrickStorm’s campaign against VMware servers is a stark reminder that even the most robust virtualized environments are only as secure as their weakest link. The malware’s blend of stealth, persistence, and lateral movement capabilities demonstrates a level of operational sophistication that challenges traditional security tools and practices. As attackers continue to innovate—leveraging encrypted channels, hidden VMs, and credential theft—defenders must respond with equally advanced strategies, including behavioral analytics, memory forensics, and zero-trust architectures. The lessons from these incidents underscore the importance of continuous monitoring, rapid patching, and proactive threat hunting. For organizations relying on VMware and similar platforms, vigilance and adaptability are now non-negotiable (BleepingComputer, 2025).

References