
VMware vCenter
VMware's virtualisation management platform targeted by UNC5221 BRICKSTORM; BRICKSTEAL companion captures vCenter HTTP credentials for offline credential extraction.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How did Chinese hackers get root access to thousands of company servers via one VMware login?
Timeline for VMware vCenter
RansomHouse posts Trellix internal screenshots as extortion leverage
Cybersecurity: Threats and DefencesMentioned in: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed
Cybersecurity: Threats and DefencesBRICKSTORM dwell hits 393 days, Mandiant
Cybersecurity: Threats and DefencesWhat is VMware vCenter and why are hackers targeting it?
What is the BRICKSTORM malware targeting VMware?
How do you detect BRICKSTORM on VMware vCenter?
Background
VMware vCenter is the centralised management platform for VMware virtualisation infrastructure and a primary target for the BRICKSTORM backdoor deployed by UNC5221, per Mandiant's M-Trends 2026 report. A companion servlet filter called BRICKSTEAL captures HTTP Basic Authentication credentials submitted to vCenter, while domain-controller virtual machines are cloned from the ESXi layer for offline credential extraction. BRICKSTORM operates with a 393-day average dwell time across observed intrusions.
vCenter Server is the management plane for all VMware vSphere environments, providing oversight of every ESXi host and virtual machine in an infrastructure. Administrative access to vCenter is equivalent to root access on every guest VM and hypervisor in the estate. BRICKSTORM's targeting of vCenter reflects the same control-plane logic as Handala's Intune attack on Stryker: maximum-privilege access achieved via a single control-plane credential, with blast radius across the entire virtualised infrastructure.
For enterprise virtualisation and security teams, vCenter's inclusion in the BRICKSTORM campaign creates specific audit obligations: HTTP Basic Authentication on vCenter should be disabled or restricted; vCenter logs must be ingested into the SIEM with tamper-evidence; and domain-controller VMs should be identified and protected against live cloning. CISA and NCSC have both cited these controls in CNI advisory guidance.