BRICKSTORM is a backdoor malware identified as being utilized by state-sponsored cyber actors from the People's Republic of China (PRC) to gain long-term access to victim systems. Both the Cybersecurity and Infrastructure Security Agency (CISA) and its partner organizations have provided detailed insights into this malware, based on analyses of multiple samples. The malware is categorized as a custom Executable and Linkable Format (ELF) backdoor, built predominantly with Go, with updates included for additional samples by late December 2025. The initial access vector for BRICKSTORM involved exploiting a web server within a victim's demilitarized zone (DMZ), where attackers used a web shell-indicative of the technique T1505.003-to infiltrate the organization. Following this, they elevated their privileges with the sudo command (T1548.003) and established persistence by placing the malware in the system's /etc/sysconfig/ directory, configuring the init file to ensure the malware executes upon system boot.