BRICKSTORM: PRC Activity (What Public Sector Teams Need to Know)

The BRICKSTORM malware campaign, attributed to Chinese state-sponsored threat actors and detailed in a joint CISA, NSA, and FBI advisory on December 4, 2025, represents the latest evolution in a long-running cyber-espionage operation targeting public-sector entities and their technology providers. While the tools and techniques are sophisticated, what’s most notable is that this campaign is not new—it is a continuation and refinement of tactics observed as early as 2022 and later tracked by Mandiant under threat clusters UNC3886 and UNC5221.

These actors specialize in exploiting systems often overlooked by traditional endpoint security tools, such as hypervisors, firewall appliances, and remote access infrastructure. BRICKSTORM builds on known behaviors: deploying custom malware on edge appliances, using DNS-over-HTTPS (DoH) for stealthy command-and-control, and harvesting credentials for long-term persistence and access into cloud environments.

Reports from Google Cloud's Mandiant and third-party threat intelligence sources including Proofpoint and NVISO reinforce that this isn’t a novel campaign—but rather a maturing one, benefiting from a lack of patch hygiene and insufficient logging in high-privilege infrastructure. Public-sector leaders should treat this as a wake-up call to hunt for existing compromise and harden often-neglected systems.

Why Public Sector Leaders Should Care

The December 4th, 2025 joint alert from CISA, NSA, and the FBI makes it clear: the BRICKSTORM malware campaign represents a methodical, state-sponsored effort to infiltrate the backbone of public-sector infrastructure. Targeting virtualization platforms, edge devices, and cloud environments, not traditional endpoints, these attackers are bypassing typical security layers and maintaining persistent, covert access to critical systems. This threat is not speculative. It’s active, ongoing, and directed at the systems governments rely on to deliver public services and protect sensitive data. With U.S. government and defense entities explicitly named as targets, the campaign underscores how the public sector is being prioritized by foreign intelligence services for long-term espionage and operational disruption. This is not merely an IT concern, it’s a strategic risk to national security, continuity of government, and the trust placed in public institutions.

Industry Verticals Affected

The BRICKSTORM malware campaign is impacting multiple critical segments across the public and IT sectors. Based on the CISA alert and supporting intelligence, targeted and at-risk industries include:

• Federal civilian agencies – Including departments with sensitive data and national security functions.
• Defense Industrial Base (DIB) – Contractors supporting U.S. military and defense logistics operations.
• Managed Service Providers (MSPs) – Especially those offering remote access, virtualization, and IT support for government clients.
• Cloud Service Providers – Platforms hosting critical workloads and identity infrastructure for public-sector customers.
• Critical infrastructure sectors – Such as energy, emergency services, and transportation, particularly where IT and OT systems intersect.
• Educational and research institutions – Often targeted for access to defense grants, sensitive research, and trusted network paths into government environments.

This campaign’s breadth illustrates its strategic intent: to quietly infiltrate and persist within the digital supply chains of government services.

How to Identify If You're Under Attack

Based on the U.S. Department of Defense Malware Analysis Report on BRICKSTORM, security teams should investigate the following signs of compromise:

• DLL Sideloading Activity: Look for suspicious DLLs being loaded by legitimate Windows binaries like mscorsvw.exe. This is a core technique BRICKSTORM uses to evade detection.
• Encrypted Payload Execution: Unusual use of encrypted payloads residing in ProgramData or non-standard file paths, especially if triggered via scheduled tasks.
• C2 Communication Over HTTPS: Outbound HTTPS traffic using custom headers or high-entropy strings, particularly with strange or uncommon user-agent values.
• Persistence Mechanisms: Registry modifications that establish persistence—check for abnormal entries related to startup or run keys.
• Anomalous Scheduled Tasks: Tasks with obscure names or file paths pointing to hidden directories (e.g., C:\ProgramData\), possibly created with system-level privileges.
• Timestomping Behavior: Files with creation or modification timestamps that don’t match execution or installation timelines.
• Edge and Virtual Infrastructure Exploitation: Unusual behavior or authentication attempts on devices like VMware ESXi, Citrix ADC, Fortinet firewalls, and similar infrastructure—especially those lacking endpoint detection coverage.

Immediate Actions

If you suspect BRICKSTORM activity or operate vulnerable infrastructure, take the following steps without delay:

• Prioritize Threat Hunting: Focus efforts on virtualized and edge devices (e.g., VMware ESXi, Citrix ADC, Fortinet appliances), which are prime BRICKSTORM targets.
• Isolate Suspicious Systems: Immediately quarantine hosts showing signs of DLL sideloading, odd scheduled tasks, or unexplained encrypted outbound traffic.
• Do Not Rely on Reboots: BRICKSTORM maintains persistence; rebooting will not eliminate the threat. Deep clean or rebuild compromised systems.
• Update Detection Tools: Ingest the latest IOCs and YARA rules from CISA’s Dec 4 alert and the DoD’s malware report into your SIEM and EDR platforms.
• Reset Compromised Credentials: Rotate passwords or secrets tied to potentially impacted service accounts and privileged user sessions.
• Review Scheduled Tasks and Registry Keys: Check for newly created or modified tasks, especially those pointing to ProgramData or using obscure filenames.
• Report Confirmed Incidents: Notify CISA or your sector’s ISAC to contribute to the broader collective defense. Timely reporting helps others avoid the same fate.

Wrap Up

BRICKSTORM isn’t a debut, it’s a calculated escalation in a campaign we’ve been tracking closely. Earlier this year, we anticipated a rocky close to 2025 as the Chinese government wraps up its 14th Five-Year Plan, and if recent activity is any indication, they intend to finish strong. This latest wave of attacks reflects a strategic push to consolidate cyber intelligence gains across government, tech, and critical infrastructure. Public-sector leaders should view BRICKSTORM not as a one-off threat, but as a signal: adversaries are evolving their playbook and targeting the seams in hybrid environments. Now’s the time to harden your edge, align teams around persistent detection, and lean into threat intelligence collaboration. 

Additional References

1. CISA Alert (AA25-339A) – PRC State-Sponsored Actors Use BRICKSTORM Malware Across Public Sector and Information Technology, https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology 
2. S. Department of Defense Malware Analysis Report – BRICKSTORM Backdoor Technical Report (MAR-10523754-1.v1), https://media.defense.gov/2025/Dec/04/2003834878/-1/-1/0/MALWARE-ANALYSIS-REPORT-BRICKSTORM-BACKDOOR.PDF 
3. CrowdStrike Intelligence Updates (Week of Dec 1–4, 2025) – Coverage of recent China-nexus actor trends and evolving tactics.
4. Recorded Future Threat Intelligence (Dec 2025 Weekly Update) – Summary of persistent threats from Chinese APT groups and supply chain risks.
5. Palo Alto Networks Unit 42 – Historic reporting on Chinese cyber operations tied to state-backed economic goals.
6. CERT-EU Flash Update (Dec 2025) – Public-sector specific indicators and targeting analysis related to BRICKSTORM.
7. 14th Five-Year Plan of the People’s Republic of China (2021–2025) – Public documentation and analysis of strategic objectives in emerging technology, cyber capability, and national security influence.
8. NuHarbor Security — China’s 14th Five-Year Plan Ends This Year: A Guide for Public Sector Cybersecurity Leaders, https://www.nuharborsecurity.com/blog/chinas-14th-five-year-plan-ends-this-year-a-guide-for-public-sector-cybersecurity-leaders  

If you need support strengthening detection and response for campaigns like BRICKSTORM, consult with the experts at NuHarbor.

Don't miss another article. Subscribe to our blog now.