BACK TO NEWS
CERT Advisories

CISA Updates BRICKSTORM Backdoor Malware Analysis with Rust-Based Samples and IOCs

2 min readSource: CISA Cybersecurity Advisories

CISA, NSA, and Canadian Centre for Cyber Security release expanded BRICKSTORM backdoor report with Rust-based variants, new IOCs, and detection signatures.

CISA and Partners Expand BRICKSTORM Backdoor Analysis with Rust-Based Variants

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA) and the Canadian Centre for Cyber Security, has released an updated Malware Analysis Report (AR25-338A) for the BRICKSTORM backdoor. The update includes new indicators of compromise (IOCs), detection signatures, and analysis of additional samples, including Rust-based variants of the malware.

Key Updates and Technical Details

The revised report provides security teams with critical insights into the evolving threat posed by BRICKSTORM, a backdoor previously associated with advanced persistent threat (APT) activity. Key additions to the analysis include:

  • Rust-based malware samples: The inclusion of Rust-language variants suggests adversaries are adopting newer programming languages to evade detection and complicate reverse engineering.
  • Expanded IOCs: Updated hashes, IP addresses, domains, and other artifacts to aid in threat hunting and incident response.
  • Detection signatures: YARA rules and other signatures to improve identification of BRICKSTORM-related activity across networks.

While the original report did not specify the threat actor behind BRICKSTORM, the malware’s sophistication aligns with tactics used by state-sponsored groups targeting critical infrastructure, government, and private-sector organizations.

Impact and Mitigation

The BRICKSTORM backdoor enables persistent access, command-and-control (C2) communications, and data exfiltration, posing significant risks to affected systems. Organizations are urged to:

  • Review the updated IOCs and integrate them into security monitoring tools.
  • Deploy provided detection signatures to identify potential compromises.
  • Conduct threat hunts for signs of BRICKSTORM activity, particularly in high-value environments.
  • Prioritize patching of known vulnerabilities exploited by the malware (if applicable).

Next Steps for Security Teams

CISA and its partners continue to monitor BRICKSTORM’s evolution and encourage organizations to report related incidents via the CISA Incident Reporting System. The updated report serves as a resource for defenders to harden systems against this persistent threat.

For full technical details, access the complete Malware Analysis Report (AR25-338A).

Share

TwitterLinkedIn