BRICKSTORM is a Go backdoor (with SOCKS proxying) deployed preferentially on Linux/BSD network and edge appliances that often lack EDR coverage. Attackers favor devices like VMware vCenter/ESXi as pivot points, using valid credentials harvested from appliances to move laterally. Observed variants show active development (e.g., Garble obfuscation, updated wssoft library, delayed beaconing), DNS-over-HTTPS for C2 resolution, and hosting via Cloudflare Workers/Heroku with no reuse of C2 domains across victims. Deployments are camouflaged to blend with host processes and persist by modifying init.d, rc.local, or systemd startup paths.
Privilege escalation and credential access were enabled via BRICKSTEAL (an in-memory Tomcat Servlet Filter hooking vCenter SSO URIs to capture creds) and SLAYSTYLE (a JSP web shell). Operators cloned sensitive Windows VMs (e.g., DCs, IdP, vaults) from vCenter to exfiltrate files without booting the clones, then removed artifacts. Email collection leveraged Entra ID enterprise apps with mail.read/full_access_as_app scopes, accessed via commercial VPNs and an obfuscation network.