BRICKSTORM Backdoor

    Friday, December 5, 2025 In: Threat Research Print

    Date: 12/05/2025

    Severity: Critical

    Summary

    BRICKSTORM is an advanced backdoor targeting VMware vSphere, including vCenter servers and ESXi, as well as Windows systems. The actors specifically focused on compromising VMware vSphere platforms. After gaining access, they used the vCenter console to steal VM snapshots for credential harvesting and to create hidden rogue VMs. They also infiltrated two domain controllers and an ADFS server. The ADFS server was fully compromised, allowing them to export cryptographic keys. BRICKSTORM provided the actors with persistent access from April 2024 through at least September 3, 2025.

    Indicators of Compromise (IOC) List

    Hash :

    0a4fa52803a389311a9ddc49b7b19138

    18f895e24fe1181bb559215ff9cf6ce3

    39111508bfde89ce6e0fe6abe0365552

    82bf31e7d768e6d4d3bc7c8c8ef2b358

    8e4c88d00b6eb46229a1ed7001451320

    a02469742f7b0bc9a8ab5e26822b3fa8

    a52e36a70b5e0307cbcaa5fd7c97882c

    dbca28ad420408850a94d5c325183b28

    18f895e24fe1181bb559215ff9cf6ce3

    10d811029f6e5f58cd06143d6353d3b05bc06d0f

    44a3d3f15ef75d9294345462e1b82272b0d11985

    97001baaa379bcd83677dca7bc5b8048fdfaaddc

    9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54

    c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4

    de28546ec356c566cd8bca205101a733e9a4a22d

    f639d9404c03af86ce452db5c5e0c528b81dc0d7

    fb11c6caa4ea844942fe97f46d7eb42bc76911ab

    013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf

    22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b

    320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759

    39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46

    57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d

    73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5

    aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38

    b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a

    b91881cb1aa861138f2063ec130b2b01a8aaf0e3f04921e5cbfc61b09024bf12

    bfb3ffd46b21b2281374cd60bc756fe2dcc32486dcc156c9bd98f24101145454

    dfac2542a0ee65c474b91d3b352540a24f4e223f1b808b741cfe680263f0ee44

    f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    md5hash IN ("0a4fa52803a389311a9ddc49b7b19138","18f895e24fe1181bb559215ff9cf6ce3","39111508bfde89ce6e0fe6abe0365552","82bf31e7d768e6d4d3bc7c8c8ef2b358","8e4c88d00b6eb46229a1ed7001451320","a02469742f7b0bc9a8ab5e26822b3fa8","a52e36a70b5e0307cbcaa5fd7c97882c","dbca28ad420408850a94d5c325183b28","18f895e24fe1181bb559215ff9cf6ce3")

    Detection Query 2 :

    sha1hash IN ("10d811029f6e5f58cd06143d6353d3b05bc06d0f","44a3d3f15ef75d9294345462e1b82272b0d11985","97001baaa379bcd83677dca7bc5b8048fdfaaddc","9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54","c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4","de28546ec356c566cd8bca205101a733e9a4a22d","f639d9404c03af86ce452db5c5e0c528b81dc0d7","fb11c6caa4ea844942fe97f46d7eb42bc76911ab")

    Detection Query 3 :

    sha256hash IN ("320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759","013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf","22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b","39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46","57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d","73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5","aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38","b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a","b91881cb1aa861138f2063ec130b2b01a8aaf0e3f04921e5cbfc61b09024bf12","bfb3ffd46b21b2281374cd60bc756fe2dcc32486dcc156c9bd98f24101145454","dfac2542a0ee65c474b91d3b352540a24f4e223f1b808b741cfe680263f0ee44","f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506")

    Reference: 

    https://www.cisa.gov/news-events/analysis-reports/ar25-338a


    Tags

    MalwareCISABRICKSTORMBackdoor

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.