CISA Releases New BRICKSTORM Backdoor IOCs Tied to PRC State Actors

CISA, the NSA, and the Canadian Centre for Cyber Security released an updated malware analysis report on December 19 containing new indicators of compromise and detection signatures for BRICKSTORM, a backdoor attributed to PRC state-sponsored cyber actors. The update identifies previously undisclosed Rust-based variants with enhanced persistence and command-and-control capabilities.

TL;DR

• What happened: Joint advisory updates BRICKSTORM malware analysis with new Rust-based samples and IOCs
• Who's affected: Government Services and Facilities sector, Information Technology sector organizations
• Severity: High - state-sponsored persistent access implant with active campaigns
• Action required: Review IOCs against network telemetry; implement provided detection signatures

What is BRICKSTORM?

BRICKSTORM is a backdoor malware family used by PRC (People's Republic of China) state-sponsored threat actors for long-term persistent access to victim networks. The agencies assess that Chinese government hackers deploy BRICKSTORM to maintain footholds in target organizations, enabling espionage operations over extended periods.

The malware is designed to be stealthy and resilient. It establishes encrypted command-and-control channels that blend with legitimate network traffic and includes mechanisms to survive system reboots and security tool scans.

What's New in This Update?

The updated advisory provides information on additional samples that weren't covered in previous BRICKSTORM reporting:

Rust-based variants: New samples are written in Rust rather than the C/C++ used in earlier versions. Rust offers several advantages for malware authors:

• Memory safety features make the malware more stable
• Cross-platform compilation is straightforward
• Rust binaries are harder to reverse engineer than C/C++ equivalents
• Growing Rust usage means defenders have less tooling and expertise for analysis

Enhanced persistence mechanisms: The new variants can run as background services on compromised systems, making them harder to detect and remove. Service-based persistence survives user logoffs and often evades casual inspection.

Improved C2 capabilities: The updated malware uses encrypted WebSocket connections for command-and-control communications. WebSocket traffic can blend with legitimate web application communications, making network-based detection more difficult.

Targeted Sectors

According to the joint advisory, BRICKSTORM campaigns have primarily targeted:

Government Services and Facilities: Federal, state, and local government agencies, particularly those handling sensitive policy information or critical infrastructure oversight.

Information Technology: Technology companies, managed service providers, and IT contractors—especially those with access to government clients.

Targeting IT providers represents a supply chain attack strategy. Compromising a single MSP can provide access to dozens or hundreds of downstream client organizations.

Detection Guidance

The advisory includes several detection resources:

YARA rules: Signature-based detection rules that can identify BRICKSTORM binaries on disk or in memory.

Network indicators: Domain names, IP addresses, and traffic patterns associated with BRICKSTORM C2 infrastructure.

Behavioral signatures: Host-based indicators including registry modifications, service installations, and file system artifacts.

Organizations should incorporate these indicators into:

• Endpoint detection and response (EDR) platforms
• Network intrusion detection systems (NIDS)
• Security information and event management (SIEM) correlation rules
• Threat hunting playbooks

Attribution Confidence

CISA, NSA, and the Canadian Cyber Centre jointly assess with high confidence that BRICKSTORM is used by PRC state-sponsored actors. The attribution is based on:

• Technical overlaps with other known PRC-linked malware families
• Targeting patterns consistent with Chinese strategic intelligence priorities
• Infrastructure connections to previously attributed PRC operations
• Human intelligence and signals intelligence sources (details classified)

Why Rust Malware Matters

The shift to Rust represents a broader trend among sophisticated threat actors. Several APT groups and ransomware operations have adopted Rust for new tooling:

• ALPHV/BlackCat ransomware was written in Rust
• APT29 (Russia) has deployed Rust-based loaders
• Multiple Chinese APTs have been observed testing Rust implants

For defenders, this creates challenges. Rust binary analysis requires specialized skills and tools. Many security products have weaker detection for Rust malware simply because there's less of it in the wild (for now).

Recommended Actions

1. Review the IOCs - Check the published indicators against DNS logs, proxy logs, and endpoint telemetry for the past 90+ days
2. Deploy detection signatures - Add the provided YARA rules and network signatures to security tooling
3. Hunt for persistence - Look for unexpected Windows services, particularly those with unusual binary paths or descriptions
4. Monitor for WebSocket anomalies - WebSocket connections to unusual domains or with encrypted payloads warrant investigation
5. Audit privileged access - BRICKSTORM requires elevated privileges for full functionality; review admin account usage

Frequently Asked Questions

How do I get the full IOC list and detection signatures?

The complete Malware Analysis Report (MAR) is available on CISA's website at cisa.gov under Analysis Reports, reference AR25-338A.

Should I block all WebSocket traffic?

No. WebSocket is a legitimate protocol used by many web applications. Instead, monitor WebSocket connections to unusual or newly registered domains, and investigate encrypted WebSocket traffic to non-standard ports.

Is this related to Volt Typhoon or Salt Typhoon campaigns?

The advisory doesn't establish direct connections to those named campaigns, but all three involve PRC state-sponsored actors targeting U.S. critical infrastructure. Organizations targeted by one Chinese APT should assume they're of interest to others.