EXECUTIVE SUMMARY
BRICKSTORM is a highly sophisticated PRC-linked backdoor targeting VMware vSphere environments to obtain long-term, covert access to critical infrastructure networks. It enables full control over virtualization systems — including VM snapshot theft and rogue VM creation — allowing attackers to bypass traditional security controls and persist for months or years undetected.
- Active Region: Global
- Affected Sector: Government, IT services, Technology, Manufacturing, Cloud / Virtualization infrastructure
- Affected Product: VMware vSphere / vCenter / ESXi
- Severity: Critical
- CVSS: 9.8
- Published Date: December 05, 2025
TECHNICAL DETAILS
Following the high-level threat overview, this section breaks down the technical mechanics behind BRICKSTORM’s deployment and persistence within VMware environments.
- Target: BRICKSTORM specifically targets VMware vSphere environments, including vCenter servers and ESXi hosts, with the goal of gaining control over virtualized infrastructure.
- Root Cause: The root cause lies in insufficient hardening and segmentation of virtualization management systems. Once threat actors gain access to privileged accounts or internal network pathways, they are able to deploy BRICKSTORM at the hypervisor…..
