vSphere and BRICKSTORM Malware: A Defender's Guide
Summary
BRICKSTORM is a malware campaign targeting VMware vSphere environments, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors (the software that runs virtual machines), by exploiting weak security architecture rather than software vulnerabilities. Attackers establish persistence at the virtualization layer (the foundational control software beneath guest operating systems), where traditional security tools like EDR (endpoint detection and response, software that monitors computers for threats) cannot see them, allowing them to gain administrative control over entire virtual infrastructure. The VCSA is particularly attractive to attackers because compromising it grants full control over all virtual machines and their data.
Solution / Mitigation
Mandiant released a vCenter Hardening Script that enforces security configurations at the Photon Linux layer (the underlying operating system of vCenter). Organizations should implement the hardening recommendations provided in the guide to transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats, including establishing custom security configurations at both the vSphere and Photon Linux layers.
Classification
Original source: https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide/
First tracked: April 2, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%