Companies in the legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. have been targeted by a suspected China-nexus cyber espionage group to deliver a known backdoor referred to as BRICKSTORM.
The activity, attributed to UNC5221 and closely related, suspected China-nexus threat clusters, is designed to facilitate persistent access to victim organizations for over a year, Mandiant and Google Threat Intelligence Group (GTIG) said in a new report shared with The Hacker News.
It’s assessed that the objective of BRICKSTORM targeting SaaS providers is to gain access to downstream customer environments or the data SaaS providers host on their customers’ behalf, while the targeting of the U.S. legal and technological spheres is likely an attempt to gather information related to national security and international trade, as well as steal intellectual property to advance the development of zero-day exploits.
BRICKSTORM was first documented by the tech giant last year in connection with the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). It has also been used to target Windows environments in Europe since at least November 2022.
A Go-based backdoor, BRICKSTORM comes fitted with capabilities to set itself up as a web server, perform file system and directory manipulation, carry out file operations such as upload/download, execute shell commands, and act as a SOCKS relay. It communicates with a command-and-control (C2) server using WebSockets.
Earlier this year, the U.S. government noted that the China-aligned threat cluster tracked as APT27 (aka Emissary Panda) overlaps with that of Silk Typhoon, UNC5221, and UTA0178. However, GTIG told The Hacker News at the time that it does not have enough evidence on its own to confirm the link and that it’s treating them as two distinct entities.
“These intrusions are conducted with a particular focus on maintaining long term stealthy access by deploying backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools,” GTIG said, adding it has responded to several intrusions since March 2025.
“The actor employs methods for lateral movement and data theft that generate minimal to no security telemetry. This, coupled with modifications to the BRICKSTORM backdoor, has enabled them to remain undetected in victim environments for 393 days, on average.”
In at least one case, the threat actors are said to have exploited the aforementioned security flaws in Ivanti Connect Secure edge devices to obtain initial access and drop BRICKSTORM. But the prolonged dwell time and the threat actor’s efforts to erase traces of their activity has made it challenging to determine the initial access vector used in other instances to deliver the malware on Linux and BSD-based appliances from multiple manufacturers.
There is evidence to suggest that the malware is under active development, with one sample featuring a “delay” timer that waits for a hard-coded date months in the future before initiating contact with its C2 server. The BRICKSTORM variant, Google said, was deployed on an internal VMware vCenter server after the targeted organization had commenced its incident response efforts, indicating the agility of the hacking group to maintain persistence.
The attacks are also characterized by the use of a malicious Java Servlet filter for the Apache Tomcat server dubbed BRICKSTEAL to capture vCenter credentials for privilege escalation, subsequently using it to clone Windows Server VMs for key systems such as Domain Controllers, SSO Identity Providers, and secret vaults.
“Normally, installing a filter requires modifying a configuration file and restarting or reloading the application; however, the actor used a custom dropper that made the modifications entirely in memory, making it very stealthy and negating the need for a restart,” Google said.
Furthermore, the threat actors have been found to leverage valid credentials for lateral movement to pivot to the VMware infrastructure and establish persistence by modifying init.d, rc.local, or systemd files to ensure that the backdoor is automatically sstarted on appliance reboot. Another method involves deploying a JavaServer Pages (JSP) web shell known as SLAYSTYLE (aka BEEFLUSH) to receive and execute arbitrary operating system commands passed through an HTTP request.
The primary goal of the campaign is to access the emails of key individuals within the victim entities, including developers, system administrators, and individuals involved in matters that align with China’s economic and espionage interests. BRICKSTORM’s SOCKS proxy feature is used to create a tunnel and directly access the applications deemed of interest to the attackers.
Google said it has developed a shell script scanner for potential victims to figure out if they’ve been impacted by BRICKSTORM activity on Linux and BSD-based appliances and systems. The tool works by flagging files that match known signatures of the malware. That said, it’s not guaranteed to detect an infection in all cases or scan for other indicators of compromise (IoCs).
“The BRICKSTORM campaign represents a significant threat due to its sophistication, evasion of advanced enterprise security defenses, and focus on high-value targets,” Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, said in a statement shared with The Hacker News.
“The access obtained by UNC5221 enables them to pivot to downstream customers of compromised SaaS providers or discover zero-day vulnerabilities in enterprise technologies, which can be used for future attacks. We encourage organizations to hunt for BRICKSTORM and other backdoors that may reside on their systems that do not have endpoint detection and response (EDR) coverage.”
