5 Things To Know On VMware ‘Brickstorm’ Attacks

The China-linked attacks utilizing ‘Brickstorm’ backdoors have targeted long-term persistence on VMware vCenter and ESXi servers, according to the U.S. Cybersecurity and Infrastructure Security Agency.

A wave of China-linked espionage attacks has been observed targeting VMware vSphere systems, and have gained long-term persistence in some cases, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

In an advisory Thursday, CISA disclosed that the attacks—utilizing a sophisticated backdoor known as “Brickstorm”—have targeted VMware vCenter and ESXi servers.

Meanwhile, CrowdStrike’s Counter Adversary Operations team reported Thursday that it has identified “multiple intrusions” against U.S. customers of Broadcom-owned VMware throughout the course of 2025, which involved the Brickstorm malware.

What follows are five things to know about the VMware “Brickstorm” attacks.

Attacks Linked To China

The attacks have been linked to a threat actor working on behalf of the Chinese government, according to CISA’s advisory, which was released in conjunction with the National Security Agency and Canadian Centre for Cyber Security.

The agencies “assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems,” the advisory said.

Likewise, CrowdStrike researchers disclosed that they have “identified multiple intrusions targeting VMware vCenter environments at U.S.-based entities, in which newly identified China-nexus adversary WARP PANDA deployed BRICKSTORM malware.”

‘Sophisticated’ Attacks

CrowdStrike researchers pointed to a “high level of technical sophistication” in the attacks, as well as “advanced” operations security skills and broad knowledge of cloud and virtual-machine environments.

Warp Panda “demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks,” the researchers wrote in a blog post. “Their operations are likely motivated by intelligence-collection requirements aligned with the strategic interests of the People's Republic of China.”

All indications suggest “they are associated with a well-resourced organization that has heavily invested in cyberespionage capabilities,” the CrowdStrike team wrote.

Similarly, CISA and other agencies warned that the China-linked threat actor has used a “sophisticated backdoor,” Brickstorm, to target VMware vSphere VMware vCenter and ESXi servers as well as Windows environments.

Victims Targeted

The CISA advisory indicated that victim organizations are “primarily” in government services and facilities as well as the IT sector.

In one case, where CISA performed an incident response, “PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded BRICKSTORM malware to an internal VMware vCenter server,” the advisory said.

“They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server,” the advisory said. “They successfully compromised the ADFS server and exported cryptographic keys. The cyber actors used BRICKSTORM for persistent access from at least April 2024 through at least Sept. 3, 2025.”

The CrowdStrike blog indicated that the group tracked as Warp Panda has “targeted VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities.”

Broadcom Statement

In a statement provided by Broadcom to CRN Thursday, the company said it is “aware of reports that cyber threat actors have used the Brickstorm malware within VMware installations after obtaining access to customer environments.”

For protecting against the attacks, “we recommend application of up-to-date patches across all infrastructure solutions, including VMware software, strong operational security practices and the use of our recommendations to harden vSphere environments,” Broadcom said in the statement.

Additional Recommendations

CISA’s advisory recommends that organizations should upgrade their VMware vSphere servers to the current version, harden VMware vSphere environments based on VMware guidance and inventory all network edge devices.

Other suggestions include apply least-privilege principles for account access and restricting service accounts to necessary permissions, CISA said.

Key recommendations from CrowdStrike include monitoring for the creation of unsanctioned virtual machines and auditing for unsanctioned outbound connections, including connections to unexpected networks as well as known command-and-control infrastructure linked to Brickstorm.

Organizations might also consider disabling SSH access to VMware ESXi hosts, among other recommendations, CrowdStrike’s Counter Adversary Operations team said.