In Episode 33 of The Cyber Resilience Brief, hosts Tova Dvorin and Adrian Culley revisit the BRICKSTORM threat—this time through the lens of the new CISA, NSA, and Canadian Cyber Centre joint advisory. While Episode 24 explored BRICKSTORM’s origin, stealth techniques, and UNC5221’s long-term espionage campaign, this episode focuses on what’s changed, and why BRICKSTORM remains a critical concern for defenders in 2025 and into 2026.

Tova and Adrian break down the advisory’s latest findings, including expanded targeting of government and IT sectors, advanced persistence mechanisms, and new insights into how attackers leverage VMware environments to maintain full, covert control of compromised systems.

The conversation underscores a central message: these tactics aren’t static. BRICKSTORM is evolving, and organizations must evolve their defenses too. That means shifting from occasional checks to continuous validation, embracing Breach and Attack Simulation (BAS), and operationalizing threat exposure management to match the pace of modern threat actors.

• Key updates from the CISA/NSA/CCCS advisory on BRICKSTORM

• Evolving persistence and communication-hiding techniques

• How attackers continue to exploit VMware and web-facing infrastructure

• Why high-value organizations remain prime targets

• The growing need for continuous, proactive security validation

• How BAS helps validate Zero Trust and uncover blind spots before adversaries do

For more information on SafeBreach's BRICKSTORM coverage, click here to read our blog.