PRC State-Sponsored Hackers Use BRICKSTORM Malware, Warns Joint Advisory

Western cybersecurity agencies are warning that hackers linked to the People’s Republic of China are deploying a stealthy malware strain to maintain long-term access to government and critical infrastructure networks.

The warning comes in a joint advisory issued by the US Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Canadian Centre for Cyber Security, which details the use of a custom malware known as BRICKSTORM by Chinese state-sponsored cyber actors.

The advisory describes BRICKSTORM as a custom, stealthy malware written in the Go programming language and designed to evade detection while enabling persistent access to compromised systems. 

How BRICKSTORM Works

The malware has been observed targeting government organizations, information technology providers, legal entities, and operators of critical infrastructure.

Once deployed, BRICKSTORM allows attackers to establish secure command-and-control channels, maintain persistence, and conduct follow-on operations after an initial compromise.

While initial access methods vary, the agencies said the actors consistently seek to obtain virtual machine snapshots from victim environments. These snapshots are then used to deploy the malware and maintain covert access over extended periods.

Early Findings

The government advisory aligns with findings published in October by Los Angeles-based cybersecurity firm Resecurity. 

In its analysis, Resecurity said it identified strong indicators linking BRICKSTORM’s development to China-based threat actors through reverse engineering of malware samples and examination of related code repositories.

Investigators believe one of the earliest known deployments of BRICKSTORM occurred during an exploitation campaign targeting F5 BIG-IP devices, widely used network traffic management and security systems, in which attackers leveraged a previously unknown, or zero-day, vulnerability. The activity coincided with claims of a data breach affecting F5.

In an 8-K regulatory filing with the US Securities and Exchange Commission, F5 said it first became aware of unauthorized access to its systems on August 9 and initiated its standard incident response procedures, including bringing in external cybersecurity consultants. 

The company later received permission from the US Department of Justice to delay public disclosure of the breach, a measure allowed when an incident is deemed to pose “a substantial risk to national security or public safety.”

Attribution and Broader Activity

Other cybersecurity firms have reported similar activity under different naming conventions, highlighting the challenges of attribution in state-sponsored cyber operations.

CrowdStrike, for example, attributes related activity to a China-nexus threat actor it tracks as WARP PANDA. 

During its investigation, Resecurity identified multiple artifacts linked to the same appliance-focused tradecraft, including an ELF-based backdoor consistent with the BRICKSTORM malware family, deployment scripts used to persist on edge devices, and a servlet filter web component designed to harvest credentials after initial access.

According to Resecurity and other analysts, the overlap in tooling and techniques suggests that multiple PRC-linked threat groups may be using BRICKSTORM to support intelligence-collection efforts aligned with China’s strategic interests.

Western officials warn that such footholds give Chinese state-sponsored actors opportunities for long-term intelligence collection and strategic advantage, particularly against government and critical infrastructure targets worldwide.