CISA has published an alert warning that People’s Republic of China (PRC) state-sponsored hackers are actively deploying BRICKSTORM, a sophisticated backdoor designed for long-term persistence across VMware vSphere and Windows environments. BRICKSTORM targets organizations in both the Information Technology (IT) sector and the Government Services and Facilities sector, providing attackers with stealthy, durable access supported by layered encryption, Domain Name System -over-Hypertext Transfer Protocol Secure (DoH), and a built-in SOCKS proxy for lateral movement and tunneling. The malware is engineered for resilience, with self-monitoring features that reinstall or restart it if disrupted. Intrusions have involved varied initial access vectors; in one confirmed case, attackers compromised a demilitarized zone (DMZ) web server, pivoted to vCenter, and implanted BRICKSTORM. Once inside, they harvest legitimate credentials, often via system backups or stolen AD data, then exploit VMware platforms by exfiltrating virtual machine (VM) snapshots and spinning up hidden rogue VMs to evade detection. CISA urges defenders to hunt for intrusions using its YARA and Sigma rules, block unauthorized DoH, tightly monitor network-edge devices, and enforce strict segmentation between the DMZ and internal networks. For more information, refer to the publication.