Mandiant Publishes Defender's Guide to BRICKSTORM Malware Targeting VMware vSphere
Mandiant released a comprehensive defender's guide detailing the BRICKSTORM backdoor that targets VMware vSphere Virtual Center, providing persistent access to virtual infrastructure.
Mandiant has published a detailed defender's guide to the BRICKSTORM backdoor, a sophisticated threat targeting VMware vSphere Virtual Center (VCSA) and ESXi hypervisors. The guide, released on April 2, 2026, builds on earlier research from Google Threat Intelligence Group (GTIG) and provides organizations with essential hardening strategies and detection methods to secure their virtualized environments against this persistent threat.
BRICKSTORM is not the result of a security vulnerability in VMware's products or infrastructure. Instead, the malware exploits weak security architecture, poor identity design, and limited visibility within the virtualization layer. By establishing persistence at the hypervisor level, threat actors operate beneath the guest operating system where traditional endpoint detection and response (EDR) agents are ineffective. This creates a significant visibility gap, as these control planes have historically received less security focus than traditional endpoints.
The VCSA is the central point of control and trust for vSphere infrastructure, typically hosting critical Tier-0 workloads such as domain controllers and privileged access management solutions. A compromise of the vCenter control plane grants an attacker administrative control over every managed ESXi host and virtual machine, effectively rendering traditional organizational tiering irrelevant. The guide outlines three key capabilities BRICKSTORM provides: centralized command to power off, delete, or reconfigure any VM; total data access to underlying storage (VMDKs) bypassing OS permissions; and command-line logging gaps if attackers gain access to the underlying Photon OS shell via SSH.
Mandiant emphasizes that many organizations host their Active Directory domain controllers as VMs within the same vSphere cluster managed by a vCenter that is itself AD-integrated. If an attacker disables the virtual network or encrypts datastores, vCenter loses its ability to authenticate administrators, forcing organizations to rely on manual restores via individual ESXi hosts and extending recovery timelines exponentially. The guide also warns that vSphere 7 reached End of Life in October 2025, leaving organizations with legacy technical debt vulnerable to unpatched exploits.
To help automate defense, Mandiant released a vCenter Hardening Script that enforces security configurations directly at the Photon Linux layer. The guide recommends a two-pronged strategy: technical hardening through defense-in-depth measures such as enabling Secure Boot, strictly firewalling management interfaces, and disabling shell access; and high-fidelity signal analysis focusing on behavioral patterns rather than relying on blocklists of bad IPs or known malware hashes.
The guide outlines four phases of technical enforcement: Phase 1 focuses on benchmarking and base controls with Security Technical Implementation Guides (STIG) and patching; Phase 2 addresses identity management through privileged access workstations (PAWs) and PAM solutions; Phase 3 covers vSphere network hardening; and Phase 4 involves continuous monitoring and incident response. By implementing these recommendations, organizations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats like BRICKSTORM.