Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇨🇳 CN

Brickstorm

Also known asBrickstorm

BRICKSTORM is a backdoor/malware family used by PRC-nexus (China-linked) state-sponsored threat actors in long-running cyber-espionage operations. Reporting from Google Threat Intelligence Group and joint advisories from NSA, CISA, and the Canadian Centre for Cyber Security describe BRICKSTORM as being used to maintain persistent remote control in victim environments with an average dwell time of ~393 days, affecting dozens of organizations since at least 2022. Observed targeting includes government services, critical infrastructure, IT, technology sector organizations, and U.S. defense contractors. The activity has been associated with compromises of edge/perimeter devices (e.g., firewalls/VPNs/network appliances) and subsequent presence in Linux-based cloud environments, as well as VMware vSphere and Windows environments; advisories also note targeting of ADFS. Described capabilities include persistence, credential extraction, lateral movement, and evasion (including use of cloud tooling and encryption). Public reporting cautions the operators appear positioned not only for espionage against U.S. infrastructure but also potentially disruptive cyberattacks. Initial access vectors are not specified in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
vulnuNews
Feb 26, 2026
Cyber Warfare Escalates: Inside Modern Military Attacks

China-linked actors are exploiting edge devices like firewalls, VPNs, and network appliances using zero days and custom malware like Brickstorm.

Read more
sysdig blogNews
Jan 6, 2026
Security briefing: December 2025

BRICKSTORM is a malware used by China state-sponsored threat actors to target Linux-based cloud environments, enabling persistent remote system control, credential extraction, lateral movement, and evasion of detection through abuse of cloud tooling and encrypted C2 communications.

Read more
huntio blogNews
Dec 10, 2025
SIGNALS WEEKLY: React2Shell in the Wild, BRICKSTORM in the Walls, Predator on the Phone

Long-dwell intrusions using the BRICKSTORM backdoor, targeting government and technology sectors, with a focus on persistence in VMware vSphere and Windows environments.

Read more
security online infoNews
Dec 8, 2025
CISA/NSA Warn of BRICKSTORM Backdoor: China APT Targets VMware and ADFS for Long-Term Espionage

BRICKSTORM is a China-linked APT conducting long-term espionage operations targeting VMware and ADFS environments using a backdoor.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.