(TLP:CLEAR) CISA and Partners Release Update to Malware Analysis Report BRICKSTORM Backdoor

Author: Chase Snow

Created: Tuesday, December 30, 2025 - 13:59

Categories: Cybersecurity, Federal & State Resources, Security Preparedness

Summary: CISA and partners recently released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise (IOCs) and detection signatures for additional BRICKSTORM samples. The original report was released earlier this month, drawing attention to BRICKSTORM, a sophisticated backdoor for specific VMware vSphere and Windows environments used by People’s Republic of China (PRC) state-sponsored threat actors.

Analyst Note: PRC threat actors are using BRICKSTORM malware for long-term persistence on victim systems. Over the past few years, WaterISAC and other U.S. government partners have repeatedly warned that China is actively targeting critical lifeline infrastructure sectors, including water and wastewater utilities. Additionally, BRICKSTORM has advanced functionality to conceal communications, allowing threat actors to move laterally and tunnel into victim networks, and automatically reinstall or restart the malware if disrupted.

The update includes two new detection signatures in the form of Yara rules. The reporting agencies urge critical infrastructure organizations, especially government and IT sectors, to use the IOCs and detection signatures and resources in the report such as CISA-developed YARA and SIGMA rules, open-source, standardized detection methods for security analysts.

Organizations detecting BRICKSTORM, similar malware, or potentially related activity are urged to contact CISA at CISA’s 24/7 Operations Center at co*****@******hs.gov or (888) 282-0870.

Original Source: https://www.cisa.gov/news-events/analysis-reports/ar25-338a

Additional Reading:

Mitigation Recommendations:

Related WaterISAC PIRs: 6, 6.1, 7, 7.1, 10, 12