TLP:CLEAR — This version of the report is approved for public sharing and may be redistributed with attribution.
Summary:
A joint advisory warns that PRC state-sponsored actors (tracked as Warp Panda / UNC5221) are deploying a sophisticated Go-based backdoor named BRICKSTORM to maintain long-term persistence within U.S. government and critical infrastructure networks. The campaign typically begins by exploiting edge vulnerabilities in Ivanti Connect Secure or F5 BIG-IP appliances, then pivots to the virtualization layer—specifically VMware vCenter and ESXi—to evade detection. The actors often deploy helper implants named Junction and GuestConduit to facilitate guest-to-hypervisor communication. BRICKSTORM features “self-watching” processes that auto-remediate if disrupted and uses DNS-over-HTTPS (DoH) with nested TLS to hide command-and-control traffic. Reporting indicates an average dwell time of 393 days, confirming a strategic “access hold” objective.
🔗 Link to CISA Alert AA25-339A
Why We Picked This:
This campaign exemplifies the shift in high-tier tradecraft toward “living in the hypervisor.” By embedding persistence directly into ESXi and vCenter (via tools like Junction), the actors effectively bypass standard EDR tools that only monitor guest operating systems. The use of benign protocols (DoH) for C2 further complicates network detection without deep packet inspection. For defenders, this highlights a critical gap: virtualization infrastructure is no longer just “IT plumbing” but a primary, high-value target for long-term espionage that requires dedicated integrity monitoring.
Why We Picked This:
This campaign highlights a critical blind spot in many enterprise detection strategies: persistent backdoors operating quietly inside virtualized and hybrid environments. BRICKSTORM is not flashy ransomware or destructive malware — it is designed to stay. The ability to survive across VMware infrastructure and standard IT systems increases dwell time and blast radius while evading many endpoint-centric security controls.
The tradecraft is notable for how well it aligns with long-term state objectives: stealth, durability, and optionality. Once access is achieved, operators can exfiltrate data, pivot internally, or hold access for future geopolitical leverage. For defenders, this case reinforces the need to treat virtualization layers and management planes as high-value targets, not just supporting infrastructure.
Classification:
Category: Nation-State / Cyber Espionage / Infrastructure Abuse
Verticals Impacted:
Government & Public Sector
Technology Companies
Critical Infrastructure & IT Service Providers
Type of Intel: ⚡ Operational / 🎯 Strategic
Noted TTPs:
Deployment of BRICKSTORM backdoor for long-term persistence
Stealthy command-and-control communications designed to evade detection
Cross-environment persistence (VMware vSphere + traditional IT systems)
Likely exploitation of external-facing vulnerabilities or supply-chain weaknesses
Emphasis on prolonged access rather than immediate payload delivery or disruption
🛠 Final Notes
We write these for the analyst trying to triage 20 open tabs, the blue-teamer who needs to pivot fast, and the CISO who wants to understand why this matters without reading 3 emails or articles. If you’re one of them, you’re why we’re here.
We’ll be publishing deep-dive reports, enriched IOCs and more for paid members. Need a complete system to track threats and streamline your intelligence workflow
👉 Check out the IndigoINT Threat Intelligence Marketplace
❤️🔥 Remember, in the dark we are all the same. ❤️🔥
— Yasmine | IndigoINT
🔗 Links to articles
📝 Disclaimer
IndigoINT may use AI tools to assist with formatting, grammar, and low-level analysis support. All content is reviewed by a human analyst and undergoes internal peer review to ensure accuracy and integrity.
You may see slight formatting changes in the first few months and content changes, please be patient with us as we find just the right fit!
