Cybersecurity authorities issued a warning that a sophisticated malware strain called BRICKSTORM powers an ongoing campaign to infiltrate government agencies, technology firms, and critical infrastructure providers.
Investigators tie the operation to state-linked Chinese hackers who target Linux and Windows systems as well as major virtualization platforms, raising serious concerns about long-term access, covert surveillance, and potential sabotage.
Investigators report that the malware penetrates VMware vCenter servers and enterprise networks, allowing attackers to deploy hidden backdoors, create rogue virtual machines, steal credentials, and maintain persistent control. They found intrusions dating back to April 2024 that evaded detection well into late 2025, underscoring the stealth and sophistication of the tools in use.
Security analysts state that the threat actors behind BRICKSTORM use multiple implants to compromise ESXi hosts and virtual machines. They employ secure file transfer techniques, wipe logs, and rely on additional stealth methods that conceal their activity while they quietly exfiltrate data.
After issuing the alert, cybersecurity agencies urged organizations to immediately inspect their systems for signs of compromise, including unusual virtual machine behavior, suspicious credential exposure, or unexpected network activity. They also recommended applying all available security patches and conducting comprehensive environment-wide reviews.
Experts warn that because BRICKSTORM specifically targets virtualization layers and avoids common endpoint-detection methods, standard antivirus tools may fail to detect it. They advise organizations to implement strict credential policies, segment networks, increase behavioral monitoring, and carry out regular security audits to reduce exposure.
The emergence of this campaign highlights the expanding risk from state-sponsored cyber operations. Analysts argue that the attackers intend to move far beyond traditional data theft and instead seek to establish long-term footholds that could enable widespread disruption if activated.
With attackers increasingly exploiting cloud, virtualization, and remote-access systems, security specialists expect similar campaigns to escalate. The latest advisory makes one point clear: organizations must strengthen their cyber defenses immediately or risk long-lasting compromise.