🇨🇳 CN1 malware family

PRC-Nexus

Also known asprc_nexus

PRC-Nexus is a threat actor designation used in the provided content for actors targeting the virtualization layer in VMware vSphere environments. The activity described focuses on VMware vCenter Server Appliance (VCSA) and ESXi hypervisors, with the objective of establishing long-term persistence. The content states these actors operate beneath the guest operating system, exploiting a visibility gap where traditional endpoint detection and response tools are ineffective. It further notes that compromise of the vCenter control plane can provide administrative control over managed ESXi hosts and virtual machines, creating a path to exfiltrate Tier-0 assets. The activity is discussed in the context of the BRICKSTORM backdoor and related malware activity. No additional aliases, sub-groups, or attribution details beyond the PRC-Nexus name are directly provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0004

Privilege Escalation

1 technique

T1068

Exploitation for Privilege Escalation

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BRICKSTORMMandiant (part of Google Cloud) just published a comprehensive defender’s guide on securing VMware vSphere environments against the BRICKSTORM backdoor and associated malware activity.1Apr 9, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

austin larsen blogNews

Apr 2, 2026

Hardening VMware vSphere Against BRICKSTORM: A Defender's Guide - Austin Larsen

Targeting VMware vSphere environments by compromising VCSA and ESXi hypervisors to gain long-term persistence beneath guest operating systems, enabling administrative control over managed ESXi hosts and virtual machines and creating opportunities for data exfiltration of Tier-0 assets.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.