Chinese hackers are using a strain of malware to attack governments in several countries and maintain long-term access, according to U.S. and Canadian cybersecurity officials.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Canadian Centre for Cyber Security published an advisory on Thursday outlining the BRICKSTORM malware based off an analysis of eight samples taken from victim organizations.
During a call with reporters on Thursday, CISA officials declined to explicitly say whether federal agencies have been impacted by BRICKSTORM. But the advisory said Chinese state-sponsored cyber actors are using the malware to specifically target the government and information technology sectors.
In addition to the U.S. and Canada, cybersecurity firm Crowdstrike released its own BRICKSTORM advisory on Thursday that said the hackers “likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity.”
“BRICKSTORM is a sophisticated and stealthy backdoor malware linked to PRC state-sponsored cyber actors,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen.
The advisory includes indicators of compromise and detections organizations can use to tell if they have been impacted by the campaign involving the malware. The malware is used “for long-term persistence on victim systems,” according to U.S. agencies.
Reinstall and restart
The hackers using the malware primarily target VMware vSphere and Windows environments. Once systems are compromised, the threat actors extract credentials and create hidden virtual machines that enable further access.
“At the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded BRICKSTORM malware to an internal VMware vCenter server,” CISA explained.
“They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server. They successfully compromised the ADFS server and exported cryptographic keys.”
Each of the samples referenced in the advisory had slight differences but each allowed the hackers to maintain stealthy access. The malware has a “self-watching” function where it automatically reinstalls or restarts if disrupted.
The malware also allows threat actors to browse, upload, download, create, delete and manipulate files. Some samples facilitated lateral movement that enabled the further compromise of other systems.
CISA Acting Director Madhu Gottumukkala added that Thursday’s advisory “underscores the grave threats posed by the People’s Republic of China that create ongoing cybersecurity exposures and costs to the United States, our allies and the critical infrastructure we all depend on.”
“These state-sponsored actors are not just infiltrating networks — they are embedding themselves to enable long-term access, disruption, and potential sabotage,” he said.
Private sector warnings
Crowdstrike said it has seen “multiple intrusions targeting VMware vCenter environments at U.S.-based entities” throughout 2025 involving BRICKSTORM. In one incident tracked by Crowdstrike, the Chinese hackers had access dating back to 2023.
CISA officials declined to answer questions about whether data had been exfiltrated from victims it has dealt with but Crowdstrike said it saw the hackers staging data for exfiltration “on numerous occasions.”
“The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests,” Crowdstrike explained, adding that the hackers behind BRICKSTORM “will likely maintain their intelligence-collection operations in the near to long term.”
Mandiant said in a September report that they have responded to “numerous” BRICKSTORM intrusions since March 2025 involving victims that include legal firms, software-as-a-service providers and technology companies.
The goal of the campaign is to steal valuable intellectual property and sensitive data — with a particular focus on the email inboxes of senior company leaders, according to Mandiant. The company attributed the campaign to a threat actor they previously accused of abusing vulnerabilities in firewall products from tech company Ivanti.
According to Mandiant, the hackers abused Microsoft tools to access mail in any mailbox — at times targeting the mailboxes of developers and system administrators while in other cases, going after the mailboxes of “individuals involved in matters that align with [People’s Republic of China] economic and espionage interests.”
Recorded Future
Intelligence Cloud.
Learn more.
