According to cybersecurity officials from both the United States and Canada, Chinese threat actors are leveraging a specialized form of malware to target various government entities worldwide and secure persistent access to those systems.

The Cybersecurity and Infrastructure Security Agency, the National Security Agency, and Canada’s Cyber Centre released a joint advisory Thursday describing the BRICKSTORM malware, drawing on insights from eight samples obtained from victim entities.

CISA officials, speaking to reporters on Thursday, did not confirm if BRICKSTORM had impacted federal agencies. Still, the advisory emphasized that Chinese state-backed cyber actors are actively using the malware to focus attacks on government and IT sector organizations.

CrowdStrike also published a BRICKSTORM advisory on Thursday, complementing the warnings from U.S. and Canadian authorities. The firm reported that the attackers “likely leveraged their foothold in a compromised network to perform rudimentary reconnaissance on a government organization in the Asia Pacific region.”

“BRICKSTORM is a sophisticated and stealthy backdoor malware linked to PRC state-sponsored cyber actors,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen.

According to the advisory, organizations can reference the included indicators of compromise and detection guidance to assess if the malware campaign has impacted them. U.S. officials state that the malware enables “long-term persistence on victim systems.”

Fresh Install and Reboot 

According to the advisory, the hackers behind the malware primarily go after VMware vSphere and Windows platforms. Once inside a network, they harvest credentials and set up hidden virtual machines to secure continued infiltration.

“At the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded BRICKSTORM malware to an internal VMware vCenter server,” CISA explained.

“They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server. They successfully compromised the ADFS server and exported cryptographic keys.”

The advisory noted that while the analyzed samples had minor differences, each one was capable of preserving the hackers’ stealthy presence. The malware includes a “self-watching” capability that triggers automatic reinstallation or restarting when disrupted. It further allows threat actors to manage files in multiple ways, and some variants enable lateral movement to breach other machines.

Alerts From the Private Sector 

According to CrowdStrike, BRICKSTORM has been involved in “multiple intrusions” against VMware vCenter systems at organizations in the United States during 2025. One incident revealed that the Chinese threat actors had been inside the network as far back as 2023.

While CISA declined to address questions about possible data theft from the victims it handled, CrowdStrike stated that it had repeatedly seen the attackers staging information for exfiltration.

“The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests,” Crowdstrike explained, adding that the hackers behind BRICKSTORM “will likely maintain their intelligence-collection operations in the near to long term.”

In a report published in September, Mandiant said it has responded to multiple BRICKSTORM incidents since March 2025, with victims spanning legal practices, software-as-a-service platforms, and tech firms.