The Reveal Platform
Intel Name: Brickstorm backdoor
Date of Scan: December 5, 2025
Impact: High
Summary: BRICKSTORM is an advanced backdoor targeting VMware vSphere, including vCenter servers and ESXi, as well as Windows systems. The actors specifically focused on compromising VMware vSphere platforms. After gaining access, they used the vCenter console to steal VM snapshots for credential harvesting and to create hidden rogue VMs. They also infiltrated two domain controllers and an ADFS server. The ADFS server was fully compromised, allowing them to export cryptographic keys. BRICKSTORM provided the actors with persistent access from April 2024 through at least September 3, 2025.
