Federal cybersecurity officials have issued a warning about a stealthy backdoor known as Brickstorm, which Chinese state-sponsored hackers are deploying across critical infrastructure environments in the United States and Canada.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security said the malware enables long-term persistence inside VMware vCenter servers and Windows systems, allowing attackers to steal cryptographic keys, harvest credentials, and clone virtual machine snapshots.

Brickstorm uses multiple layers of encryption for command-and-control, including DNS over HTTPS, and can reinstall itself if disrupted. CISA said it analyzed eight malware samples, including one incident where Chinese hackers gained access to vCenter management consoles and domain controllers.

CISA Executive Assistant Director for Cybersecurity Nick Andersen told reporters the malware allows operators to move laterally, manipulate files, tunnel deeper into networks, and even create rogue virtual machines — all while evading detection through hidden API endpoints.

Security firm Mandiant reported tracking the campaign since March 2025, noting intrusions across SaaS vendors, law firms, business process outsourcers, and technology providers. Analysts said the activity reflects a sustained espionage effort embedded in U.S. infrastructure for more than a year.

Officials urged organizations to scan systems using YARA and Sigma rules, harden vSphere deployments, block unauthorized DNS over HTTPS traffic, restrict service account permissions, and monitor for suspicious access patterns.

“This advisory underscores the grave threats posed by the People’s Republic of China,” said CISA Acting Director Madhu Gottumukkala, warning that state-sponsored actors are embedding themselves to enable long-term access, disruption, and potential sabotage.