CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems

CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems

CISA has identified BRICKSTORM, a sophisticated backdoor used by PRC hackers to maintain long-term, stealthy access in U.S. VMware and Windows systems. The malware, written in Golang, enables interactive shell access and employs HTTPS, WebSockets, and TLS for covert command-and-control communications.

Why This Matters

The technical reality of modern cyberattacks contrasts sharply with idealized security models. BRICKSTORM’s ability to self-restart, evade detection via log-clearing and timestomping, and leverage virtualized environments underscores a growing threat to cloud and enterprise infrastructures. The malware’s deployment across government and IT sectors highlights the scale of risk, with potential data exfiltration and lateral movement capabilities that could compromise sensitive systems for years.

Key Insights

• “BRICKSTORM first documented by Google Mandiant in 2024” (source: CISA report, 2025)
• “Custom VSOCK interfaces for inter-VM communication in BRICKSTORM” (example: enabling data exfiltration between hypervisors and guest VMs)
• “Warp Panda uses BRICKSTORM for cloud-based persistence, per CrowdStrike” (user: attributed to PRC-linked adversaries)

Practical Applications

• Use Case: U.S. government agencies using BRICKSTORM for long-term network infiltration
• Pitfall: Overlooking VSOCK-based communication in VM environments, leading to undetected lateral movement

References:

• https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html