BRICKSTORM Malware Targets VMware vSphere: Urgent Hardening Required, Experts Warn

By

Breaking: BRICKSTORM Malware Exploiting vSphere Weaknesses — No Patch Available

Threat actors are actively targeting VMware vSphere ecosystems using a new attack campaign dubbed BRICKSTORM, according to research from Google Threat Intelligence Group (GTIG). The malware establishes persistence at the virtualization layer, bypassing traditional endpoint security tools such as EDR agents.

“Attackers are not exploiting a software vulnerability; they are capitalizing on weak security architecture and a lack of visibility in the virtualization control plane,” said Stuart Carrera, a Mandiant security expert. “Organizations must treat vCenter Server Appliance and ESXi as Tier-0 assets and harden them accordingly.”

Background: How BRICKSTORM Works

BRICKSTORM specifically targets the vCenter Server Appliance (VCSA) and ESXi hypervisors, gaining administrative control over the entire vSphere environment. Once inside, attackers operate beneath the guest operating system, where standard security monitoring is ineffective.

The campaign relies on exploiting weak identity design, lack of host-based configuration enforcement, and limited visibility within the virtualization layer. No product vulnerability is involved — instead, attackers take advantage of default configurations and unmonitored access points.

Immediate Risk to Critical Infrastructure

The VCSA often hosts Tier-0 workloads such as domain controllers and privileged access management solutions. A compromise grants attackers full control over every managed ESXi host and virtual machine, rendering traditional security tiering useless.

“Because the VCSA is a purpose-built appliance, out-of-the-box defaults are insufficient,” Carrera added. “Achieving a Tier-0 security standard requires intentional custom configurations at both the vSphere and Photon Linux layers.”

What This Means for Defenders

Organizations must immediately implement hardening strategies to secure the virtualization control plane. Mandiant has released a vCenter Hardening Script that enforces security configurations directly at the Photon Linux layer, helping automate many of the recommended mitigations.

Key actions include: enabling strict access controls, monitoring for unusual administrative behavior, and configuring the VCSA as a Tier-0 asset with dedicated security monitoring. “By implementing these recommendations, organizations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats,” Carrera said.

The BRICKSTORM campaign underscores a critical shift in threat actor tactics. Defenders must now extend their security focus beyond guest operating systems to include the hypervisor and management appliances. Traditional endpoint protection is no longer sufficient when attackers operate below the OS.

Related Articles

• Giant Squid Traces Detected in Western Australian Waters Using Environmental DNA
• How to Secure Your Ollama Server Against the Bleeding Llama Vulnerability (CVE-2026-7482)
• Critical SQL Injection in LiteLLM: A Rapid Response Guide to CVE-2026-42208
• 5 Critical Lessons from the Retracted Instructure Data Breach Report
• Senior Scattered Spider Hacker Pleads Guilty: ‘Tylerb’ Admits Role in Major Cyberattacks
• 7 Critical Insights: The LiteLLM CVE-2026-42208 SQL Injection Crisis
• 5 Critical Facts About the CanisterWorm Wiper Attack on Iran
• How GitHub Swiftly Neutralized a Critical Git Push Vulnerability