Suspected Chinese hackers have used the Brickstorm malware in long-term persistence espionage operations against U.S. organizations in the technology and legal sectors.
Brickstorm is a Go-based backdoor documented by Google in April 2024 following China-related intrusions that spawned from various edge devices and remained undetected in the victim environment for more than a year, on average.
The malware served as a web server, file manipulation tool, dropper, SOCKS relay, and shell command execution tool.
According to Google Threat Intelligence Group (GTIG), the attackers used Brickstorm to silently siphon data from their victims’ networks for an average dwell time of 393 days before being detected.
The researchers confirmed compromised organizations in the legal and technology sectors, software-as-a-service (SaaS) providers, and also Business Process Outsourcers (BPOs).
Google notes that compromising such entities could help a threat actor develop zero-day exploits and extend the attack to downstream victims, especially those not protected by endpoint detection and response (EDR) solutions.
The researchers attributed these attacks to the UNC5221 activity cluster, notorious for exploiting Ivanti zero-days to attack government agencies with custom malware like Spawnant and Zipline.
Brickstorm activity
Due to the long dwell time on victim systems and UNC5221’s use of anti-forensics scripts to obscure the entry path, GTIG coulld not confidently determine the initial access vector, but the researchers believe exploitation of zero-days in edge devices is involved.
Brickstorm is deployed on appliances that don’t support EDR, including VMware vCenter/ESXi endpoints, where it establishes communication with the command and control (C2) while masquerading the exchange as Cloudflare, Heroku, and other legitimate traffic.
After establishing a foothold, the attacker tried to escalate privileges using a malicious Java Servlet Filter (Bricksteal) on vCenter to capture credentials, as well as cloning Windows Server VMs to extract secrets.
The stolen credentials are then used for lateral movement and persistence, which includes enabling SSH on ESXi and modifying startup scripts init.d and systemd.
Brickstorm’s primary operational objective is to exfiltrate emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories, maintaining a high level of stealth.
Google’s observations indicate that UNC5221 has a strong focus on developers, administrators, and individuals tied to China’s economic and security interests.
When the operation is completed, the malware is removed to hinder forensic investigations. These are made even more complicated by the fact that UNC5221 never uses twice the same C2 domains or malware samples.
To help defenders, Mandiant has released a free scanner script that replicates a Brickstorm YARA rule for Linux and BSD appliances. YARA rules for Bricksteal and Slaystyle are also included in the report.
Mandiant warns that its scanner may not detect all variants of Brickstorm, it doesn’t guarantee the detection of a compromise 100% of the time, doesn’t look for persistence mechanisms, and doesn’t warn about vulnerable devices.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.