BRICKSTORM Malware Exploits VMware vSphere: New Attacks Demand Urgent Hardening
BRICKSTORM Malware Exploits VMware vSphere: New Attacks Demand Urgent Hardening
Breaking: A sophisticated malware campaign dubbed BRICKSTORM is actively targeting VMware vSphere environments, with attackers gaining persistence at the virtualization layer—beneath the reach of traditional security tools. Researchers from Google Threat Intelligence Group (GTIG) disclosed the campaign in a new report, warning that the threat actor exploits weak security architecture rather than software vulnerabilities.
“The attacker is not exploiting a zero-day in VMware products,” said Stuart Carrera, a security analyst at Mandiant who contributed to the analysis. “Instead, they are leveraging common misconfigurations in identity design and insufficient monitoring within the vCenter and ESXi control planes.”
How BRICKSTORM Works
According to the GTIG report, BRICKSTORM targets the vCenter Server Appliance (VCSA) and ESXi hypervisors. Once inside, the malware establishes administrative control over the entire virtualized infrastructure, including all managed hosts and virtual machines.

“Because the VCSA is a purpose-built appliance running on Photon Linux, standard endpoint detection and response (EDR) agents cannot operate there,” Carrera explained. “This creates a visibility gap that attackers exploit for long-term persistence.”
Background: The vCenter Attack Surface
The VCSA acts as the central trust point for the vSphere ecosystem. It often hosts Tier-0 workloads, such as domain controllers and privileged access management solutions. Compromising the VCSA gives an attacker control over all ESXi hosts and VMs, effectively bypassing traditional security tiers.

“This is not a vulnerability in VMware products; it’s a failure of security architecture,” Carrera emphasized. “Organizations must treat the virtualization control plane as a Tier-0 asset and harden it accordingly.”
Mandiant has released a vCenter Hardening Script that automates many of the recommended configurations directly at the Photon Linux layer. The script is designed to enforce security controls that block BRICKSTORM-style attacks.
What This Means for Defenders
The BRICKSTORM campaign underscores a critical blind spot in enterprise security: the virtualization layer. Traditional defenses focus on guest operating systems, but attacks that operate beneath them evade detection.
“Organizations need to reassess their security posture,” Carrera said. “Default vSphere configurations are not enough. You need custom hardening at both the vSphere and Photon Linux layers to achieve a Tier-0 standard.”
Key recommendations include implementing host-based configuration enforcement, enhancing monitoring of the VCSA and ESXi control planes, and applying the Mandiant hardening script. The script can be deployed via automated pipelines.
“We are moving from a world where we trusted the hypervisor implicitly to one where we must actively defend it,” Carrera concluded. “BRICKSTORM is a wake-up call.”
Related Articles
- Benchmarking Mythos: A Powerful Tool for Code Audits but Lacking in Exploit Validation
- Safeguarding OpenClaw: A Practical Security Guide for the CVE-2026-33579 Privilege Escalation Vulnerability
- ShinyHunters Strikes Instructure Again: Hundreds of College Canvas Portals Defaced in Extortion Spree
- How to Protect Yourself from Fake Call History Apps That Drain Your Wallet
- Inside the Scattered Spider Cyberattack: A Step-by-Step Guide to Understanding Their Tactics and Defending Against SIM-Swap Phishing
- 10 Alarming Truths About AI-Generated Code and Autonomous Threats
- The Downfall of 'Tylerb': Inside the Scattered Spider Cybercrime Kingpin's Guilty Plea
- 10 Critical Facts About the TeamPCP Supply Chain Attack That Weaponized LiteLLM