BRICKSTORM campaign uses MSP credentials to compromise virtual infrastructures

Threat summary

On December 4, 2025, The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security released a joint Malware Analysis Report on Chinese state-sponsored actors’ use of BRICKSTORM malware.

BRICKSTORM is a backdoor written in Go that communicates over encrypted channels such as HTTPS, WebSockets, Transport Layer Security, and Domain Name System over HTTPS. Some variants operate as SOCKS proxies, enabling attackers to move laterally across networks.

In this case, the BRICKSTORM malware was deployed to maintain long-term persistence in victim organizations across the government services and information technology sectors. To evade detection, the malware was embedded into trusted processes, system files were modified, and legitimate service accounts were exploited.

The primary targets were VMware vCenter servers, VMware ESXi, and Windows environments. Attackers obtained credentials for a managed service provider account and used them to move from internal domain controllers into VMware vCenter servers.

Once inside the vCenter management console, they stole cloned virtual machine snapshots to extract credentials, created rogue virtual machines, and compromised Active Directory Federation Services (ADFS) to export cryptographic keys.

BRICKSTORM remained active in victim environments for more than a year, with evidence of deployment dating back to April 2024. Its use of encrypted command and control channels allowed attackers to operate undetected for extended periods. By compromising vCenter, they gained control over entire virtual infrastructures, significantly complicating detection and remediation.

Analyst insight

Managed service providers (MSPs) are a critical target in this campaign because their credentials provide attackers with broad access across multiple client environments. The compromise of vCenter servers and ADFS allowed attackers to exfiltrate sensitive data, manipulate virtual machines, and maintain covert access across multiple tenants.

This campaign highlights a growing trend: threat actors are leveraging trusted accounts and virtualization management platforms because they provide centralized control over enterprise systems. For MSPs, this means a single compromise can cascade across multiple tenants, threatening service availability and client trust.

Recommendations for MSPs include:

• Enforcing strict credential management, including rotation and limiting privileges for service accounts.
• Vendor patches and updates for VMware vCenter and ESXi servers need to be applied promptly to reduce exposure.
• Management interfaces should be segmented from client-facing networks to limit lateral movement opportunities.
• Continuous monitoring of VMware environments is essential to detect rogue virtual machines and unusual encrypted traffic.

Further, behavioral detection tools capable of identifying misuse of valid credentials, such as Field Effect MDR, can provide early warning, while incident response playbooks tailored to virtualization platforms can accelerate containment and recovery.

Field Effect MDR strengthens this defense by detecting early behaviors that indicate compromise, even when attackers use technically valid credentials. It continuously monitors how accounts are accessed, flagging logins from unusual locations, devices, or times, and identifying actions that fall outside a legitimate user’s normal behavior.

By correlating activity across systems and applying threat intelligence, Field Effect MDR enables rapid containment and response. For MSPs, this provides a critical layer of protection, helping to safeguard multi-tenant environments and maintain client trust in the face of advanced state-sponsored threats.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up