BRICKSTORM is a Tool, Not a Threat Actor
BRICKSTORM is a multi-platform backdoor implant used by the Chinese state-sponsored threat group known as UNC5221 (also tracked as Warp Panda). This page provides technical details about the malware itself. For information about the threat actors deploying this tool, visit the Warp Panda Threat Actor Profile.
1 Related Resources
BRICKSTORM Hunting Guide
Complete threat hunting playbook with 13 hunt modules, detection queries (Splunk, KQL, Sigma), YARA rules, and CISA-verified IOCs. Includes step-by-step procedures for SOC teams.
View Hunting GuideWarp Panda (UNC5221)
Threat actor profile for the PRC state-sponsored group behind BRICKSTORM deployments. Includes TTPs, targeting patterns, campaign history, and MITRE ATT&CK mapping.
View Threat Actor2 Technical Overview
BRICKSTORM is a sophisticated multi-platform backdoor written in Go, designed for long-term persistent access to enterprise virtualization infrastructure. First observed in April 2024, the implant has evolved through multiple variants targeting both Linux (vCenter/ESXi) and Windows environments. The malware employs novel techniques including DNS-over-HTTPS (DoH) for command-and-control communications and VSOCK tunneling for lateral movement between virtual machines.
Extended Dwell Time Observed
CISA analysis revealed BRICKSTORM implants maintained persistent access for an average of 393 days before detection, with some compromises spanning from April 2024 through September 2025. Organizations using VMware vCenter should prioritize hunting for this threat.
🔓 Initial Access
- CVE-2023-46805 (Ivanti Connect Secure)
- CVE-2024-21887 (Ivanti Auth Bypass)
- Compromised edge appliances
- Valid credential abuse
🔧 Core Capabilities
- File upload/download operations
- Command shell execution
- SOCKS proxy tunneling
- VSOCK inter-VM communication
📡 C2 Communications
- DNS-over-HTTPS (DoH) tunneling
- Cloud provider infrastructure (1.1.1.1, 8.8.8.8)
- Nested encryption layers
- Traffic blending with legitimate DNS
💾 Persistence Mechanisms
- Self-monitoring persistence ("self-watching")
- Boot initialization scripts
- PATH environment hijacking
- VMware service integration
3 Platform Variants
Linux Variant
vCenter & ESXi Targeted
- Target: VMware vCenter Server Appliance
- Persistence: /etc/rc.local.d/, systemd services
- Unique Feature: VSOCK inter-VM tunneling
- Binary Location: /usr/lib/vmware-*, /opt/vmware/
Windows Variant
Enterprise Workstations
- Target: Domain-joined workstations
- Persistence: Scheduled tasks, Run keys
- Unique Feature: Junction folder evasion
- Binary Location: %APPDATA%\, %PROGRAMDATA%\
4 Campaign Timeline
First Observed Deployment
Initial BRICKSTORM implants deployed via compromised Ivanti Connect Secure appliances (CVE-2023-46805, CVE-2024-21887)
VMware vCenter Targeting
Threat actors pivot from edge devices to internal VMware infrastructure, establishing persistent access
Windows Variant Emerges
Multi-platform capabilities expanded with Windows-specific variant using scheduled task persistence
CISA Analysis Report
CISA publishes AR25-338A detailing BRICKSTORM TTPs, IOCs, and detection guidance
Active Threat
BRICKSTORM deployments continue with evidence of tool evolution and expanded targeting
5 Detection Priorities
The following detection opportunities provide the highest-confidence indicators of BRICKSTORM compromise. For complete detection rules and hunting procedures, download the full hunting guide.
// High-Priority Detection: DNS-over-HTTPS C2 Communication
// Look for vCenter processes making DoH connections
index=network sourcetype=firewall
| where dest_port=443 AND (dest IN ("1.1.1.1", "8.8.8.8", "8.8.4.4"))
| where src_ip IN (vcenter_servers)
| stats count by src_ip, dest, uri_path
| where uri_path LIKE "%dns-query%"
// Self-Watching Persistence Detection
| search process_name="*brickstorm*" OR parent_process_respawns > 3
CRITICAL
DNS-over-HTTPS from vCenter to public resolvers
CRITICAL
Self-respawning processes in VMware directories
HIGH
VSOCK connections from ESXi hypervisor layer
HIGH
PATH environment modification in /etc/profile.d/
6 MITRE ATT&CK Mapping
MITRE ATT&CK Software ID: S1167
Hunt for BRICKSTORM in Your Environment
Download the complete threat hunting guide with 13 detection modules, YARA rules, and step-by-step procedures for your SOC team.