This is your China Hack Report: Daily US Tech Defense podcast.

Alright listeners, I'm Ting, and if you thought the cyber threat landscape was calm lately, buckle up because things just got absolutely wild. Over the past forty-eight hours, the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, and Canada's Cyber Security Centre dropped a bombshell report that's got everyone in the defensive trenches working overtime.

Meet Brickstorm, a nightmare-fuel backdoor that's been quietly embedding itself into American networks since at least 2022. According to CISA, NSA, and the Canadian Centre for Cyber Security, this isn't your run-of-the-mill malware. We're talking about sophisticated, Golang-written backdoor code designed specifically to infiltrate VMware vSphere and Windows environments with the surgical precision of a state-sponsored hacker group from the People's Republic of China. According to Nick Andersen, CISA's executive assistant director for cybersecurity, these actors are not just infiltrating networks—they're embedding themselves to enable long-term access, disruption, and potential sabotage.

The scope is staggering. Austin Larsen from Google Threat Intelligence Group estimates dozens of U.S. organizations have been impacted, and that's just what they've managed to identify. Researchers at CrowdStrike have been tracking this activity under the moniker Warp Panda, and they've documented intrusions dating back to at least 2022. The group has deployed Brickstorm alongside two previously unknown Golang implants called Junction and GuestConduit. What makes this particularly insidious is that once inside, these actors maintain persistence for an average of 393 days—that's over a year of unchecked access to your network.

The initial access vector typically comes from compromised internet-facing edge devices and vulnerabilities in VMware vCenter. Warp Panda exploits CVE-2024-38812, CVE-2023-34048, and CVE-2021-22005 in vCenter, along with CVE-2024-21887 and CVE-2023-46805 in Ivanti Connect Secure. Once they're in, they escalate to domain controllers, steal Active Directory databases, and clone virtual machine snapshots to harvest credentials. They've even been observed creating hidden rogue VMs to maintain persistence while evading detection. According to CrowdStrike, these actors are targeting government agencies, IT firms, legal services, technology companies, and manufacturing entities across North America.

What's particularly dangerous is how Brickstorm communicates. It uses DNS-over-HTTPS, nested TLS, and WebSocket protocols for command-and-control operations. Some variants use VSOCK-based communication engineered specifically for virtualized environments. The malware has the ability to automatically reinstall or restart itself through self-monitoring functions, meaning even if you think you've ejected it, it's already planned its triumphant return. According to researchers and CISA officials, the threat actors have leveraged this access to steal configuration data, identity metadata, documents, and emails on topics aligning with China's strategic interests.

So what should defenders be doing right now? CISA has released YARA and SIGMA detection rules in their advisory AR25-338A. Organizations need immediate vulnerability assessment and patching of all VMware vCenter and Ivanti systems. Check your logs for web shell activity, unusual RDP connections, and lateral movement patterns. Monitor for Active Directory dumping and credential theft. And here's the kicker—government agencies are being told to implement immediate detection capabilities for Brickstorm IOCs and report any suspicious activity to CISA without delay.

According to Madhu Gottumukkala, CISA's acting director, this situation underscores the grave threats posed by the People's Republic of China that create ongoing cybersecurity exposures and costs to...