BRICKSTORM Malware Targets VMware vSphere: Urgent Hardening Required, Experts Warn

By

Breaking: BRICKSTORM Malware Exploiting vSphere Weaknesses — No Patch Available

Threat actors are actively targeting VMware vSphere ecosystems using a new attack campaign dubbed BRICKSTORM, according to research from Google Threat Intelligence Group (GTIG). The malware establishes persistence at the virtualization layer, bypassing traditional endpoint security tools such as EDR agents.

“Attackers are not exploiting a software vulnerability; they are capitalizing on weak security architecture and a lack of visibility in the virtualization control plane,” said Stuart Carrera, a Mandiant security expert. “Organizations must treat vCenter Server Appliance and ESXi as Tier-0 assets and harden them accordingly.”

Background: How BRICKSTORM Works

BRICKSTORM specifically targets the vCenter Server Appliance (VCSA) and ESXi hypervisors, gaining administrative control over the entire vSphere environment. Once inside, attackers operate beneath the guest operating system, where standard security monitoring is ineffective.

The campaign relies on exploiting weak identity design, lack of host-based configuration enforcement, and limited visibility within the virtualization layer. No product vulnerability is involved — instead, attackers take advantage of default configurations and unmonitored access points.

Immediate Risk to Critical Infrastructure

The VCSA often hosts Tier-0 workloads such as domain controllers and privileged access management solutions. A compromise grants attackers full control over every managed ESXi host and virtual machine, rendering traditional security tiering useless.

“Because the VCSA is a purpose-built appliance, out-of-the-box defaults are insufficient,” Carrera added. “Achieving a Tier-0 security standard requires intentional custom configurations at both the vSphere and Photon Linux layers.”

What This Means for Defenders

Organizations must immediately implement hardening strategies to secure the virtualization control plane. Mandiant has released a vCenter Hardening Script that enforces security configurations directly at the Photon Linux layer, helping automate many of the recommended mitigations.

Key actions include: enabling strict access controls, monitoring for unusual administrative behavior, and configuring the VCSA as a Tier-0 asset with dedicated security monitoring. “By implementing these recommendations, organizations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats,” Carrera said.

The BRICKSTORM campaign underscores a critical shift in threat actor tactics. Defenders must now extend their security focus beyond guest operating systems to include the hypervisor and management appliances. Traditional endpoint protection is no longer sufficient when attackers operate below the OS.

Related Articles

• Exclusive: Iranian Hackers Leak FBI Director's Personal Emails as Cyberattacks Slam Global Infrastructures
• Why Autonomous Validation Is Essential When Attackers Act in Minutes and Patching Takes Hours
• 8 Ways Frontier AI Is Redefining Cybersecurity Defenses
• Secure Travel Tips: Navigating Airport Wi-Fi Risks This Summer
• Ubuntu Under Siege, Linux Exploits, and Global Tech Moves: A Weekly Recap
• Germany's Cyber Extortion Crisis: A Q&A on 2025's Data Leak Surge
• 5 Cybersecurity Insights: Pioneers Revisit Their Most Prophetic Columns
• LayerZero Acknowledges Fault in Single-Validator Configuration Linked to $292 Million Kelp DAO Exploit