The U.S. Cybersecurity and Infrastructure Security Agency released details on a backdoor named BRICKSTORM that state-sponsored actors from the People’s Republic of China have used to maintain long-term persistence on compromised systems, the agency said.
CISA described BRICKSTORM as a Golang implant that gives operators interactive shell access and the ability to browse, upload, download, create, delete and manipulate files. The tool supports multiple C2 protocols including HTTPS, WebSockets, nested TLS, DNS-over-HTTPS to conceal communications, and can act as a SOCKS proxy to facilitate lateral movement. The agency also noted a self-monitoring capability that can automatically reinstall or restart the implant to maintain operation after disruption.
Officials said BRICKSTORM has mainly been used in intrusions targeting government and information technology sectors, but CISA did not disclose how many agencies were affected or what data, if any, was stolen. A spokesperson for the Chinese embassy in Washington rejected the allegations in a statement shared with Reuters.
Security firms first documented BRICKSTORM activity in 2024 and have attributed its use to clusters tracked as UNC5221 and to an adversary CrowdStrike calls Warp Panda. CrowdStrike has said it observed multiple intrusions that targeted VMware vCenter environments at U.S.-based legal, technology and manufacturing organizations and that the actor demonstrates a high level of stealth and cloud-focused operations, including additional Golang implants used on ESXi hosts and guest VMs.
In one intrusion detected by CISA in April 2024 the attackers used a web shell on a DMZ web server to move laterally to an internal VMware vCenter server and implant BRICKSTORM, CISA detected. The actors obtained service account credentials, used RDP to reach a domain controller in the DMZ, and moved via SMB to jump servers and an ADFS server, from which cryptographic keys were exfiltrated. CISA said access to vCenter enabled the adversary to deploy BRICKSTORM and that some artifacts were designed to operate in virtualized environments using VSOCK for inter-VM communication.
CrowdStrike has reported that Warp Panda’s operations include creating rogue VMs, clearing logs and timestomping files to maintain stealth, and using vCenter access to clone domain controller VMs and harvest Active Directory data. The intrusions have also included steps to access cloud services: attackers used tunneled traffic and exfiltrated browser files to obtain session tokens and access Microsoft 365 services, registered multi-factor authentication devices to preserve access, and used the Microsoft Graph API to enumerate directory objects, CrowdStrike said. The scope of impacted organizations and the full extent of data theft remain unclear.