Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Chinese-Linked Malware Campaign Targets Critical Environments With Weak Monitoring
The U.S. federal government has issued a warning regarding a sophisticated malware campaign linked to Chinese state-sponsored actors, known as Brickstorm. This malicious software is being deployed to infiltrate critical infrastructure, exploiting vulnerabilities in environments characterized by weak monitoring.
Brickstorm enables long-term persistence within VMware vCenter servers and Windows systems, allowing hackers to stealthily maintain access to sensitive networks. According to details released by cybersecurity officials, the malware has been utilized to extract cryptographic keys and replicate virtual machine snapshots, facilitating credential theft.
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security jointly recommended that operators thoroughly evaluate their systems for any signs of compromise. After analyzing multiple instances of Brickstorm discovered in victim organizations, CISA indicated that the malware has been used to breach vCenter management consoles and domain controllers.
Nick Andersen, Executive Assistant Director for Cybersecurity at CISA, spoke during a recent media briefing, stating that Brickstorm provides adversaries the ability to navigate networks laterally and create rogue virtual machines while evading detection. While the agency confirmed that Chinese nation-state actors are indeed targeting U.S. critical infrastructure, specific sectors affected by this onslaught were not disclosed.
Security analysts have noted that the Brickstorm campaign reflects a persistent effort by Chinese actors to embed themselves within U.S. infrastructure and service providers. Mandiant reported monitoring this activity since March 2025, revealing intrusions that have impacted software-as-a-service vendors, law firms, business process outsourcing firms, and technology providers.
In response to these threats, CISA has urged organizations to implement measures including scanning systems using provided YARA and Sigma rules, enforcing strict network segmentation, and upgrading their vSphere environments. Blocking unauthorized DNS over HTTPS traffic and enhancing monitoring for unusual access patterns were also emphasized as critical steps.
The advisory highlights the significant and ongoing threats presented by the People’s Republic of China, which pose serious cybersecurity risks to U.S. infrastructure. CISA Acting Director Madhu Gottumukkala stated that these state-sponsored actors aim to establish long-term access and potential disruption capabilities within essential sectors.
