December 2025
BrickStorm Malware: A New Threat Targeting U.S. Entities
A recently uncovered cyber campaign has revealed that a China-linked threat actor is deploying a sophisticated malware strain known as BrickStorm against U.S. organizations. This operation underscores the growing complexity of nation-state cyberattacks and the urgent need for robust defense strategies (CISA.gov, 2025).
Key Characteristics
BrickStorm exhibits stealth and persistence, designed to evade detection and maintain long-term access. Its modular architecture allows attackers to deploy additional payloads for espionage or data exfiltration. Critical infrastructure and government-related entities are among the primary targets (CISA.gov, 2025).
Attack Vectors
Infections typically begin with spear-phishing or exploitation of unpatched vulnerabilities. Once inside, BrickStorm establishes command-and-control channels to exfiltrate sensitive data (CISA.gov, 2025).
CISA analyzed eight BRICKSTORM samples from victim organizations, including one where an incident response engagement revealed PRC actors had maintained persistent access from April 2024 to September 2025. Attackers compromised a VMware vCenter server, two domain controllers, and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys and exporting credentials (CISA.gov, 2025).
Initial access was achieved via a web shell on a DMZ web server, followed by lateral movement using Remote Desktop Protocol (RDP) and Server Message Block (SMB). Attackers escalated privileges with sudo, deployed BRICKSTORM in /etc/sysconfig/, and altered boot scripts to ensure persistence (CISA.gov, 2025).
Implications and Recommendations
The ability to steal VM snapshots, extract credentials, and create rogue virtual machines poses severe risks to enterprise environments. BRICKSTORM’s advanced evasion techniques and modular architecture make it a formidable tool for long-term espionage and disruption (CISA.gov, 2025)
The emergence of BrickStorm highlights the importance of patch management, threat intelligence, and incident response readiness. Recommended actions include deploying advanced EDR tools, conducting phishing awareness training, and implementing network segmentation to limit lateral movement (CISA.gov, 2025).
2025: The Year Cybersecurity Systems Broke
The year 2025 marked a turning point in global cybersecurity, as digital infrastructures faced unprecedented disruptions. A Forbes report (Sayegh, 2025) describes 2025 as “the year cybersecurity systems finally broke,” with critical infrastructure outages, major cloud failures, and escalating nation-state cyber activity exposing the fragility of digital systems. The longest U.S. government shutdown in history further compounded vulnerabilities, leaving organizations exposed and reactive.
Major Incidents and Trends
Critical infrastructure outages affected energy grids, telecoms, and supply chains, disrupting daily life and commerce (CRN, 2025). For example, United Natural Foods Inc. suffered a cyberattack that crippled food distribution, highlighting the risks to supply chains. Cloud providers also faced significant outages and breaches, with attackers exploiting misconfigurations and unpatched vulnerabilities.
Nation-state activity intensified, with groups such as “Salt Typhoon” targeting U.S. government and telecoms, while Russian-linked attacks hit Ukraine’s state registers (Boston Institute of Analytics, 2025). The focus of attacks shifted towards identity data—biometrics, credentials, and deepfakes—rather than traditional network breaches.
AI-driven threats surged, with Deepstrike.io reporting a 1,265% increase in phishing volume and a 442% rise in voice phishing, fueled by generative AI. Attackers leveraged AI to automate reconnaissance and craft convincing scams (Deepstrike.io, 2025).
Regulatory Shifts and Accountability
November 2025 saw the U.S. federal government begin enforcing the Cybersecurity Maturity Model Certification (CMMC), making cybersecurity compliance mandatory for organizations handling federal data or critical infrastructure. Penalties for non-compliance are rising, and the era of optional cybersecurity is over (Sayegh, 2025).
Lessons Learned and Strategic Imperatives
Zero Trust Is Essential: Organizations are rapidly adopting zero-trust architectures, requiring continuous verification of users and devices (Cybersecurity News, 2025).
Incident Response and Cloud Security: Proactive incident response and unified cloud security platforms are critical. IBM’s Cost of a Data Breach Report shows organizations with mature IR plans have 40% lower breach costs (IBM, 2025).
Identity Security: Multi-layered identity verification, biometric checks, and liveness detection are now vital (Regula, 2025).
AI for Defense: While attackers weaponize AI, defenders are using it to slash breach containment times and filter false positives.
Looking Ahead to 2026
The pressure will intensify. As Sayegh (2025) notes, “The era of accountability has begun.” Organizations must invest in automation, AI-driven defense, and compliance. The gap between cyber-mature and vulnerable organizations will widen, especially in healthcare, manufacturing, and critical infrastructure.
2025 exposed the limits of legacy cybersecurity. The future demands resilience, continuous improvement, and a shift from reactive to proactive defense. The winners will be those who embrace zero trust, automate incident response, and treat identity as the new perimeter.
Why Cybersecurity Threats Can Increase During the Holidays
The holiday season often sees reduced staffing, especially within IT and security teams, leading to slower detection and response to threats. Meanwhile, online shopping and digital communications surge, creating ample opportunity for cybercriminals (Yeleswarapu, 2021; Heroic Technologies, 2024).
Common Holiday Cybersecurity Threats
Plan for common threats to organization over the holiday period (Yeleswarapu, 2021)
Phishing and Spoofing: Attackers frequently craft festive-themed emails—such as faux shipping notifications or gift-card offers—to steal credentials.
Ransomware: With defenders distracted or understaffed, ransomware actors exploit the lull to encrypt data and demand payment.
Social Engineering: Scammers leverage fake charity appeals, holiday contests, or gift-giving schemes to mislead users.
Strengthening Security Posture
Incident Response Plan (IRP) Review & Enhancement
A holiday-ready IRP should cover the following phases (Heroic Technologies, 2024):
Preparation: Define roles, responsibilities, and off-hours contacts. Conduct rehearsals to detect holiday-specific threats.
Detection & Analysis: Leverage automated monitoring tools to flag anomalies.
Containment & Eradication: Quickly isolate affected systems and neutralize threats.
Recovery: Restore normal operations with validated backups and controls.
Post-Incident Review: Analyze root causes, update protocols, and integrate learned insights.
Employee Training & Awareness
Conduct refresher training emphasizing holiday-themed threats such as phishing and social engineering. Simulations of festive-themed attacks can help maintain vigilance (Heroic Technologies, 2024).
Automated Security Monitoring
Deploy AI-driven, 24/7 monitoring systems that detect suspicious behaviour and can auto-initiate containment measures. This reduces reliance on potentially limited human resources during the holidays (Heroic Technologies,, 2024).
Communication Protocols
Establish well-defined incident reporting channels and escalation procedures. Maintain an on-call roster to ensure swift response even with distributed teams (Heroic Technologies, 2024).
Post-Holiday Reflection & Hardening
Once the holidays conclude, conduct a post-incident review, update IRPs based on new intelligence, and retrain staff using real-world examples. This iterative cycle fosters continuous hardening of cybersecurity posture (Yeleswarapu, 2021).
