(TLP:CLEAR) Malware Analysis Report – BRICKSTORM Malware Used by People’s Republic of China State-Sponsored Actors
Created: Thursday, December 4, 2025 - 15:38
Categories: Cybersecurity, Security Preparedness
Summary: Today, CISA, National Security Agency (NSA), and Canadian Centre for Cyber Security released a malware analysis report on BRICKSTORM, a sophisticated backdoor for specific VMware vSphere and Windows environments used by People’s Republic of China (PRC) state-sponsored actors. The report provides indicators of compromise (IOCs) and detection signatures to assist infrastructure operators in identifying whether they have been compromised and offers recommended mitigation actions to protect against this pervasive PRC activity.
Analyst Note: Over the past few years, WaterISAC and other U.S. government partners have repeatedly warned that China is actively targeting critical lifeline infrastructure sectors, including water and wastewater utilites. PRC actors are positioning themselves within information technology networks, enabling lateral movement to operational technology systems. This positioning allows them to disrupt U.S. critical functions at a time of their choosing, like during a potential geopolitical conflict.
Accordingly, Chinese threat actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA analyzed eight BRICKSTORM samples obtained from victim organizations, including an organization where CISA did an incident response engagement. BRICKSTORM has advanced functionality to conceal communications, allow threat actors to move laterally and tunnel into victim networks, and automatically reinstall or restart the malware if disrupted.
The reporting agencies urge critical infrastructure organizations, especially government and IT sectors, to use the IOCs and detection signatures and resources in the report such as CISA-developed YARA and SIGMA rules, open-source, standardized detection methods for security analysts. Organizations detecting BRICKSTORM, similar malware, or potentially related activity are urged to contact CISA at CISA’s 24/7 Operations Center at co*****@******hs.gov or (888) 282-0870.
Original Source: https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology
Additional Reading:
- CISA – People’s Republic of China Threat Overview and Advisories
- (TLP:AMBER) Volt Typhoon Cyber Tactics Warrant Proactive Defense of US Critical Infrastructure Networks
- (TLP:CLEAR) Dragos Case Study of Volt Typhoon’s Breach of a Massachusetts Electric and Water Utility
Mitigation Recommendations:
- PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
- Identifying and Mitigating Living Off the Land Techniques
- WaterISAC – 12 Cybersecurity Fundamentals for Water and Wastewater Utilities
Related WaterISAC PIRs: 6, 6.1, 7, 7.1, 10, 12