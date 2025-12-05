Chinese state-sponsored actors deploy Brickworm malware to infiltrate government and IT networks worldwide

Malware targets VMware vSphere and Windows, enabling persistence, file manipulation, and Active Directory compromise

CISA warns of long-term espionage and sabotage risks; China denies accusations, calling the US a “cyber-bully"

Chinese state-sponsored threat actors have been using Brickworm malware against government organizations around the world - maintaining access, exfiltrating files, and eavesdropping.

This is according to a joint report published by the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security. The report outlines how the malware operates based on the analysis of eight samples obtained from victim networks.

In this, it was said that PRC hackers are targeting “government and information technology” organizations, without detailing who the victims are, or where they’re located. At the same time, Crowdstrike said it observed this being used against an Asia-Pacific government organization.

Catch the price drop- Get 30% OFF for Enterprise and Business plans The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.

Manipulating files

To break into target networks, the threat actors would go for VMware vSphere and Windows systems.

“At the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded BRICKSTORM malware to an internal VMware vCenter server,” CISA stressed. It then added that the crooks went for Active Directory:

“They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server. They successfully compromised the ADFS server and exported cryptographic keys.”

Besides being able to maintain stealthy access, Brickwork also allowed them to access and manipulate all of the files on the devices. In some cases, they were able to move laterally throughout the network, compromising even more devices.

Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

For CISA Acting Director Madhu Gottumukkala, the report “underscores the grave threats posed by the People’s Republic of China that create ongoing cybersecurity exposures and costs to the United States, our allies and the critical infrastructure we all depend on.”

“These state-sponsored actors are not just infiltrating networks - they are embedding themselves to enable long-term access, disruption, and potential sabotage,” he said.

China has been attributed with countless high-profile cyberattacks against countries in the west, throughout the years. They were accused of going for telecommunications providers, critical infrastructure, and government entities - interested in cyber-espionage and potential disruption. In some cases, the attacks were planned and conducted years ago, and were part of possible future war efforts against Taiwan.

The country’s representatives, however, always vehemently denied all accusations, instead describing the US as the biggest “cyber-bully” in the world.

Via The Record

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.