Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors

This report provides operational hunting and detection guidance for BRICKSTORM, a backdoor used to compromise network appliances and VMware infrastructure. It details attacker TTPs—such as unusual outbound Internet traffic from appliance management IPs, DoH usage, network logins to Windows systems, cloning of sensitive VMs, creation and removal of local vCenter accounts, and bulk M365 mailbox access via enterprise applications—and recommends log sources, YARA scanning of backups, and forensic artifacts (e.g., Windows UAL, Shellbags, vCenter VPXD logs) to investigate and confirm compromises.