Chinese state-sponsored actors deploy Brickworm malware to infiltrate government and IT networks worldwide
Malware targets VMware vSphere and Windows, enabling persistence, file manipulation, and Active Directory compromise
CISA warns of long-term espionage and sabotage risks; China denies accusations, calling the US a “cyber-bully"
Chinese state-sponsored threat actors have been using Brickworm malware against government organizations around the world - maintaining access, exfiltrating files, and eavesdropping.
This is according to a joint report published by the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security. The report outlines how the malware operates based on the analysis of eight samples obtained from victim networks.
In this, it was said that PRC hackers are targeting “government and information technology” organizations, without detailing who the victims are, or where they’re located. At the same time, Crowdstrike said it observed this being used against an Asia-Pacific government organization.
Catch the price drop- Get 30% OFF for Enterprise and Business plans The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.
Manipulating files
To break into target networks, the threat actors would go for VMware
TPRM report: https://www.rankiteo.com/company/cisa
"id": "cis1764943192",
"linkid": "cisa",
"type": "Cyber Attack",
"date": "2025-12-05T00:00:00.000Z",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': ['Government', 'IT'],
'location': ['Asia-Pacific', 'Worldwide'],
'name': None,
'size': None,
'type': ['Government',
'Information Technology']}],
'attack_vector': 'VMware vSphere and Windows exploitation',
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes',
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': 'High (government and IT '
'networks)',
'type_of_data_compromised': 'Files, '
'eavesdropping data'},
'description': 'Chinese state-sponsored threat actors have been '
'using Brickworm malware against government '
'organizations around the world - maintaining '
'access, exfiltrating files, and eavesdropping. '
'The malware targets VMware vSphere and Windows, '
'enabling persistence, file manipulation, and '
'Active Directory compromise. CISA warns of '
'long-term espionage and sabotage risks.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Files exfiltrated, eavesdropping',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Long-term network persistence',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['VMware vSphere',
'Windows',
'Active Directory']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'motivation': ['Espionage', 'Sabotage'],
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'CISA, NSA, Canadian Centre for Cyber '
'Security',
'url': None},
{'date_accessed': None,
'source': 'Crowdstrike',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': 'Chinese state-sponsored actors',
'title': 'Chinese State-Sponsored Actors Deploy Brickworm '
'Malware to Infiltrate Government and IT Networks '
'Worldwide',
'type': 'Malware Attack'}}