BRICKSTORM Threat Hunting Guides

Comprehensive resources for detecting advanced persistent threats targeting enterprise environments

Based on the latest threat intelligence from Mandiant's comprehensive BRICKSTORM analysis, published September 2025. Please note: check all recommendations against your environment specifics. Some commands will require you to rewrite them to be effective.

QuickStart Guide

Essential hunting procedures designed for immediate threat detection and assessment. Covers critical steps that can be completed in 30-60 minutes.

• Appliance inventory and risk assessment
• Targeted malware scanning procedures
• Network traffic analysis techniques
• Enterprise application security audit

Download QuickStart Guide

Complete Hunting Guide

Comprehensive threat hunting procedures with detailed technical instructions, safety considerations, and operational impact assessments.

• Nine detailed hunting procedures
• Business impact and safety warnings
• Step-by-step technical instructions
• Free tools and implementation guidance

Download Complete Guide

Incident Response Support

If you discover evidence of compromise during your hunting activities, immediately cease threat hunting procedures and contact your incident response provider using out-of-band communication methods.

If you do not have an incident response provider or need professional assistance for this type of attack, please contact our team:

24/7 Incident Response: (949) 832-6925

Intruvent Technologies

Critical Backdoor / Implant TLP:CLEAR CISA Verified

⚠️

BRICKSTORM is a Tool, Not a Threat Actor

BRICKSTORM is a multi-platform backdoor implant used by the Chinese state-sponsored threat group known as UNC5221 (also tracked as Warp Panda). This page provides technical details about the malware itself. For information about the threat actors deploying this tool, visit the Warp Panda Threat Actor Profile.

🔧

Type

Backdoor

🖥️

Platforms

Linux & Windows

🎯

Primary Target

VMware vCenter

🇨🇳

Attribution

China (PRC)

📋

Source

CISA AR25-338A

1 Related Resources

🎯

BRICKSTORM Hunting Guide

Complete threat hunting playbook with 13 hunt modules, detection queries (Splunk, KQL, Sigma), YARA rules, and CISA-verified IOCs. Includes step-by-step procedures for SOC teams.

View Hunting Guide

👤

Warp Panda (UNC5221)

Threat actor profile for the PRC state-sponsored group behind BRICKSTORM deployments. Includes TTPs, targeting patterns, campaign history, and MITRE ATT&CK mapping.

View Threat Actor

2 Technical Overview

BRICKSTORM is a sophisticated multi-platform backdoor written in Go, designed for long-term persistent access to enterprise virtualization infrastructure. First observed in April 2024, the implant has evolved through multiple variants targeting both Linux (vCenter/ESXi) and Windows environments. The malware employs novel techniques including DNS-over-HTTPS (DoH) for command-and-control communications and VSOCK tunneling for lateral movement between virtual machines.

⚠️

Extended Dwell Time Observed

CISA analysis revealed BRICKSTORM implants maintained persistent access for an average of 393 days before detection, with some compromises spanning from April 2024 through September 2025. Organizations using VMware vCenter should prioritize hunting for this threat.

🔓 Initial Access

CVE-2023-46805 (Ivanti Connect Secure)
CVE-2024-21887 (Ivanti Auth Bypass)
Compromised edge appliances
Valid credential abuse

🔧 Core Capabilities

File upload/download operations
Command shell execution
SOCKS proxy tunneling
VSOCK inter-VM communication

📡 C2 Communications

DNS-over-HTTPS (DoH) tunneling
Cloud provider infrastructure (1.1.1.1, 8.8.8.8)
Nested encryption layers
Traffic blending with legitimate DNS

💾 Persistence Mechanisms

Self-monitoring persistence ("self-watching")
Boot initialization scripts
PATH environment hijacking
VMware service integration

3 Platform Variants

🐧

Linux Variant

vCenter & ESXi Targeted

Target: VMware vCenter Server Appliance
Persistence: /etc/rc.local.d/, systemd services
Unique Feature: VSOCK inter-VM tunneling
Binary Location: /usr/lib/vmware-*, /opt/vmware/

🪟

Windows Variant

Enterprise Workstations

Target: Domain-joined workstations
Persistence: Scheduled tasks, Run keys
Unique Feature: Junction folder evasion
Binary Location: %APPDATA%\, %PROGRAMDATA%\

4 Campaign Timeline

April 2024

First Observed Deployment

Initial BRICKSTORM implants deployed via compromised Ivanti Connect Secure appliances (CVE-2023-46805, CVE-2024-21887)

June 2024

VMware vCenter Targeting

Threat actors pivot from edge devices to internal VMware infrastructure, establishing persistent access

Q3-Q4 2024

Windows Variant Emerges

Multi-platform capabilities expanded with Windows-specific variant using scheduled task persistence

December 2024

CISA Analysis Report

CISA publishes AR25-338A detailing BRICKSTORM TTPs, IOCs, and detection guidance

Ongoing

Active Threat

BRICKSTORM deployments continue with evidence of tool evolution and expanded targeting

5 Detection Priorities

The following detection opportunities provide the highest-confidence indicators of BRICKSTORM compromise. For complete detection rules and hunting procedures, download the full hunting guide.

                
// High-Priority Detection: DNS-over-HTTPS C2 Communication
// Look for vCenter processes making DoH connections

index=network sourcetype=firewall
| where dest_port=443 AND (dest IN ("1.1.1.1", "8.8.8.8", "8.8.4.4"))
| where src_ip IN (vcenter_servers)
| stats count by src_ip, dest, uri_path
| where uri_path LIKE "%dns-query%"

// Self-Watching Persistence Detection
| search process_name="*brickstorm*" OR parent_process_respawns > 3
                
            

CRITICAL

DNS-over-HTTPS from vCenter to public resolvers

CRITICAL

Self-respawning processes in VMware directories

HIGH

VSOCK connections from ESXi hypervisor layer

HIGH

PATH environment modification in /etc/profile.d/

6 MITRE ATT&CK Mapping

MITRE ATT&CK Software ID: S1167

                        T1059.004                    

Unix Shell

                        T1071.001                    

Web Protocols

                        T1071.004                    

DNS

                        T1090.001                    

Internal Proxy

                        T1095                    

Non-App Layer Protocol

                        T1105                    

Ingress Tool Transfer

                        T1132.001                    

Standard Encoding

                        T1547.006                    

Kernel Modules

                        T1573.002                    

Asymmetric Crypto

Hunt for BRICKSTORM in Your Environment

Download the complete threat hunting guide with 13 detection modules, YARA rules, and step-by-step procedures for your SOC team.

Download Hunting Guide (Free) View Warp Panda Profile

Related Threat Intelligence

Threat Actor

Intruvent Technologies

BRICKSTORM Threat Hunting Guides

QuickStart Guide

Complete Hunting Guide

Incident Response Support

BRICKSTORM is a Tool, Not a Threat Actor

1 Related Resources

BRICKSTORM Hunting Guide

Warp Panda (UNC5221)

2 Technical Overview

Extended Dwell Time Observed

🔓 Initial Access

🔧 Core Capabilities

📡 C2 Communications

💾 Persistence Mechanisms

3 Platform Variants

Linux Variant

Windows Variant

4 Campaign Timeline

First Observed Deployment

VMware vCenter Targeting

Windows Variant Emerges

CISA Analysis Report

Active Threat

5 Detection Priorities

CRITICAL

CRITICAL

HIGH

HIGH

6 MITRE ATT&CK Mapping

Hunt for BRICKSTORM in Your Environment

Related Threat Intelligence

Volt Typhoon

APT44 / Sandworm

Threat Intelligence Hub