CybersecuritySecurity NewswireCybersecurity News

State-Sponsored Actors Leverage Backdoor Malware, CISA Warns

By Jordyn Alger, Managing Editor
Chinese flag
engin akyurt via Unsplash
December 8, 2025

The Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the National Security Agency (NSA) and the Canadian Centre for Cyber Security (Cyber Centre), warns that state-sponsored cyber actors associated with the People’s Republic of China (PRC) are leveraging a sophisticated backdoor malware for “long-term persistence on victim systems.”

This malware is called BRICKSTORM, and it is a backdoor for VMware vSphere — particularly VMware vCenter servers and VMware ESXI — as well as Windows environments.

In observations of this campaign, cyber actors targeted VMware vSphere platforms. According to CISA, after being compromised, “the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs.”

Ensar Seker, CISO at SOCRadar, shares insights on the the campaign. 

“What’s especially alarming about this campaign is that it targets the virtualization layer itself, not the OS or applications, which historically receives less attention. Once the hypervisor or management console (vCenter) is compromised, attackers gain broad visibility over the virtual infrastructure and can bypass many traditional endpoint defenses (like EDR), because these often don’t monitor hypervisor behavior or VM snapshot manipulation,” says Seker. “For defenders, the implications are stark: if you run VMware vSphere or ESXi, particularly with vCenter exposed internally or weakly segmented, you are directly in scope. This means organizations must treat virtualization infrastructure as a critical attack surface with the same urgency as public‑facing apps or legacy enterprise systems.” 

At one victim organization, the cyber actors gained access in April 2024 and maintained it to approximately September 2025. 

“In short, this isn’t just another malware campaign,” Seker asserts. “It’s a wake‑up call showing that adversaries are shifting upward in the stack, targeting the foundations of virtualization rather than individual VMs. For many organizations, exposure will only be obvious after they start actively hunting for hypervisor‑layer compromise.”

KEYWORDS: malware nation-state attack threat intelligence

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jordynalger

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

Related Articles

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!