ESXi

VMware ESXi, the bare-metal hypervisor widely deployed in enterprise data centres, was one of the primary targets for the BRICKSTORM backdoor deployed by UNC5221, per Mandiant's M-Trends 2026 report. BRICKSTORM runs on ESXi hosts and Linux and BSD appliances alongside VMware vCenter, with the backdoor achieving a 393-day average dwell time across observed intrusions by operating below the visibility threshold of standard endpoint detection tools.

ESXi is the foundation of VMware's virtualisation stack, hosting virtual machines including domain-controller VMs. BRICKSTORM's presence on an ESXi host provides access to all guest VMs, and Mandiant's report documented that domain-controller VMs were cloned for offline credential extraction from the ESXi layer. The companion servlet filter BRICKSTEAL captures vCenter HTTP Basic Authentication credentials from the same infrastructure layer.

For enterprise security teams, ESXi's traditional exclusion from endpoint detection and response coverage is the specific gap BRICKSTORM exploits. Most EDR products are designed for Windows and Linux endpoints; ESXi hypervisors run a proprietary kernel (VMFS) that standard agents cannot instrument. The 393-day dwell benchmark is a direct consequence of that coverage gap.