prc_state_sponsored_cyber_actors

People’s Republic of China (PRC) state-sponsored cyber actors attributed by CISA, NSA, and the Canadian Centre for Cyber Security to the BRICKSTORM malware activity. The activity targets primarily Government Services and Facilities and the Information Technology sector, with a strong focus on VMware vSphere environments (VMware vCenter servers and VMware ESXi platforms) as well as Windows environments. The actors have been observed maintaining long-term persistent access (noted in one case from at least April 2024 through September 2025), including deployment of BRICKSTORM to an internal VMware vCenter server and subsequent compromise of two domain controllers and an ADFS server, with export/theft of cryptographic keys and theft of Active Directory databases/credentials. Tactics, techniques, and procedures described include initial access via web shells on DMZ servers, followed by lateral movement using stolen credentials and RDP/SMB. BRICKSTORM is described as a custom-built ELF backdoor implemented in Go and Rust (multiple variants analyzed), providing comprehensive system control including interactive shell access, remote command execution, file upload/download and manipulation, directory listing, and in some variants SOCKS proxy functionality to facilitate lateral movement. Command-and-control is characterized by multiple layers of encryption and traffic blending/masquerading, including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS (including use of public DoH resolvers such as Cloudflare, Google, and Quad9), and the malware may mimic legitimate web server functionality. Persistence mechanisms described include self-watching/automatic reinstallation, modification of system init files, and PATH environment variable manipulation, including masquerading as legitimate VMware binaries; some variants leverage VSOCK interfaces for inter-VM communication and persistence in virtualized environments. Privilege escalation is noted via use of sudo on compromised systems.