The Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the National Security Agency (NSA) and the Canadian Centre for Cyber Security (Cyber Centre), warns that state-sponsored cyber actors associated with the People’s Republic of China (PRC) are leveraging a sophisticated backdoor malware for “long-term persistence on victim systems.”

This malware is called BRICKSTORM, and it is a backdoor for VMware vSphere — particularly VMware vCenter servers and VMware ESXI — as well as Windows environments.

In observations of this campaign, cyber actors targeted VMware vSphere platforms. According to CISA, after being compromised, “the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs.”

Ensar Seker, CISO at SOCRadar, shares insights on the the campaign. 

“What’s especially alarming about this campaign is that it targets the virtualization layer itself, not the OS or applications, which historically receives less attention. Once the hypervisor or management console (vCenter) is compromised, attackers gain broad visibility over the virtual infrastructure and can bypass many traditional endpoint defenses (like EDR), because these often don’t monitor hypervisor behavior or VM snapshot manipulation,” says Seker. “For defenders, the implications are stark: if you run VMware vSphere or ESXi, particularly with vCenter exposed internally or weakly segmented, you are directly in scope. This means organizations must treat virtualization infrastructure as a critical attack surface with the same urgency as public‑facing apps or legacy enterprise systems.” 

At one victim organization, the cyber actors gained access in April 2024 and maintained it to approximately September 2025. 

“In short, this isn’t just another malware campaign,” Seker asserts. “It’s a wake‑up call showing that adversaries are shifting upward in the stack, targeting the foundations of virtualization rather than individual VMs. For many organizations, exposure will only be obvious after they start actively hunting for hypervisor‑layer compromise.”