Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

BRICKSTORM backdoor persistent-access activity against VMware vCenter and Windows environments

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

BRICKSTORM is being used by PRC state-sponsored actors for persistent access in Government and Information Technology organizations, increasing the risk of stealthy compromise across VMware vSphere / vCenter and Windows environments. The malware’s ability to hide communications and move laterally makes it harder to detect and contain. Its built-in resilience also helps it survive disruption and maintain access.

Related Happenings

Remcos RAT variant with real-time surveillance and evasion

Malware Activity
First: 19.02.2026 18:30 Last: 19.02.2026 18:30 Sources 1

About this happening: A newly observed **Remcos RAT** variant now enables **real-time surveillance** on compromised **Windows** systems, increasing the risk of immediate **webcam monitoring** and **liv...

Open Happening

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
First: 18.02.2026 12:32 Last: 18.02.2026 12:32 Sources 1

About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...

Open Happening

UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign

Campaign
First: 17.02.2026 22:15 Last: 17.02.2026 22:15 Sources 1

About this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...

Latest development: 19.02.2026 17:30

CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.

Open Happening

Warp Panda North American legal, technology and manufacturing espionage campaign

Campaign
First: 05.12.2025 16:30 Last: 05.12.2025 16:30 Sources 1

About this happening: Warp Panda is running a **sophisticated cyber-espionage campaign** against **North American legal, technology and manufacturing firms**, maintaining **persistent covert access** t...

Open Happening

Warp Panda Brickstorm VMware vCenter targeting campaign

Campaign
First: 04.12.2025 20:19 Last: 04.12.2025 20:19 Sources 1

About this happening: A **Warp Panda** targeting campaign using **Brickstorm** reached **VMware vCenter** servers on the networks of **U.S. legal, technology, and manufacturing companies** throughout *...

Open Happening

Timeline

  1. 04.12.2025 14:00 2 articles · 5mo ago

    CISA, NSA, and Cyber Centre release BRICKSTORM analysis

    Technical Analysis Update

    CISA, the National Security Agency, and the Canadian Centre for Cyber Security released a malware analysis report on BRICKSTORM, a backdoor linked to People’s Republic of China state-sponsored actors and used against VMware vSphere, VMware vCenter servers, and Windows environments. The report includes indicators of compromise, detection signatures, CISA-developed YARA and SIGMA rules, and mitigation guidance for critical infrastructure owners and operators, including network segmentation, edge-device inventory and monitoring, and implementation of Cross-Sector Cybersecurity Performance Goals.

    Show sources
    Open in new tab