VMware vCenter
VMware's virtualisation management platform targeted by UNC5221 BRICKSTORM; BRICKSTEAL companion captures vCenter HTTP credentials for offline credential extraction.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How did Chinese hackers get root access to thousands of company servers via one VMware login?
Timeline for VMware vCenter
RansomHouse posts Trellix internal screenshots as extortion leverage
Cybersecurity: Threats and DefencesMentioned in: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed
Cybersecurity: Threats and DefencesBRICKSTORM dwell hits 393 days, Mandiant
Cybersecurity: Threats and Defences- What is VMware vCenter and why are hackers targeting it?
- VMware vCenter is the management platform for virtualised infrastructure, giving admins control over every server and virtual machine in an estate. UNC5221 deployed the BRICKSTORM backdoor and BRICKSTEAL credential-capture filter on vCenter as part of a campaign with a 393-day average dwell time.Source: Mandiant M-Trends 2026
- What is the BRICKSTORM malware targeting VMware?
- BRICKSTORM is a backdoor deployed by UNC5221 on VMware vCenter servers. It works alongside BRICKSTEAL, a servlet filter that captures HTTP Basic Authentication credentials. Together they enable persistent, undetected access with a documented 393-day average dwell time.Source: Mandiant M-Trends 2026
- How do you detect BRICKSTORM on VMware vCenter?
- Key detection controls include: disabling HTTP Basic Authentication on vCenter; ingesting vCenter logs into a SIEM with tamper-evidence; monitoring for unexpected domain-controller VM snapshots or clones from the ESXi layer; and checking for unrecognised servlet filter registrations. NCSC and CISA advisories specify these controls for CNI operators.Source: CISA / NCSC
Background
VMware vCenter is the centralised management platform for VMware virtualisation infrastructure and a primary target for the BRICKSTORM backdoor deployed by UNC5221, per Mandiant's M-Trends 2026 report. A companion servlet filter called BRICKSTEAL captures HTTP Basic Authentication credentials submitted to vCenter, while domain-controller virtual machines are cloned from the ESXi layer for offline credential extraction. BRICKSTORM operates with a 393-day average dwell time across observed intrusions.
vCenter Server is the management plane for all VMware vSphere environments, providing oversight of every ESXi host and virtual machine in an infrastructure. Administrative access to vCenter is equivalent to root access on every guest VM and hypervisor in the estate. BRICKSTORM's targeting of vCenter reflects the same control-plane logic as Handala's Intune attack on Stryker: maximum-privilege access achieved via a single control-plane credential, with blast radius across the entire virtualised infrastructure.
For enterprise virtualisation and security teams, vCenter's inclusion in the BRICKSTORM campaign creates specific audit obligations: HTTP Basic Authentication on vCenter should be disabled or restricted; vCenter logs must be ingested into the SIEM with tamper-evidence; and domain-controller VMs should be identified and protected against live cloning. CISA and NCSC have both cited these controls in CNI advisory guidance.