The article reports that CISA, the NSA, and the Canadian Centre for Cyber Security updated their BRICKSTORM malware analysis with new indicators of compromise and detection signatures covering three additional samples, including new Rust-based variants. BRICKSTORM is described as a stealthy backdoor associated with PRC state-sponsored activity, primarily seen targeting VMware vSphere/vCenter environments (with reporting of Windows versions as well). In one documented intrusion, the actors maintained long-term access starting in April 2024, deployed BRICKSTORM to an internal VMware vCenter server, later accessed domain controllers and an ADFS server, and exported cryptographic keys—using the backdoor for persistence through at least September 3, 2025.

It also summarizes how the newer variants aim to be hard to remove: they can run as background services, “watch” for disruption and reinstall/restart themselves, and use stronger command-and-control methods (including encrypted WebSocket communications). The agencies encourage organizations—especially in government, critical infrastructure, and IT—to deploy the published IOCs and YARA-based detections, and to report suspected activity quickly. Operational mitigations highlighted include keeping VMware environments updated and hardened, maintaining strong visibility and inventories for edge systems, enforcing DMZ-to-internal segmentation (including disabling risky pathways like RDP/SMB from the DMZ), tightening privileged/service-account access, and limiting covert channels such as unauthorized DNS-over-HTTPS traffic.

Source: https://industrialcyber.co/ransomware/cisa-nsa-and-canadian-cyber-centre-update-brickstorm-analysis-with-new-rust-based-variants/