A suspected Chinese state-sponsored hacker group is reportedly behind a cyber espionage campaign targeting US organizations in the technology, legal, SaaS, and Business Process Outsourcing (BPO) sectors. The campaign involves a backdoor called “Brickstorm,” first spotted in April 2024.
According to Google Threat Intelligence Group (GTIG), the attacks remained undetected for an average of 393 days, allowing the attackers to siphon off sensitive data for over a year in some cases.
Brickstorm is a Go-based backdoor with a vast array of capabilities that allow it to function as a web server, file manipulation tool, SOCKS proxy, dropper, and remote shell. The malware was typically deployed on edge devices that lack endpoint detection and response (EDR) capabilities, such as VMware vCenter and ESXi appliances.
Google attributes the campaign to UNC5221, a threat cluster known for leveraging zero-day vulnerabilities, particularly in Ivanti edge devices, and deploying custom malware like Spawnant and Zipline against government and enterprise networks.
Once inside a network, the attackers used Bricksteal, a malicious Java Servlet Filter, to harvest credentials and clone Windows Server virtual machines to extract secrets. Using the stolen credentials, the attackers were able to move laterally across environments, including enabling SSH access and modifying startup scripts for persistence. The ultimate goal was to exfiltrate emails and sensitive code repositories, often through Microsoft Entra ID Enterprise Apps.
The group’s tactics involve high levels of operational security, including frequent rotation of command-and-control (C2) infrastructure and never reusing malware samples, complicating forensic analysis. Traffic was disguised to appear as legitimate services such as Cloudflare and Heroku.
GTIG believes that UNC5221 specifically targets developers, administrators, and entities tied to China’s economic and national security interests.
Mandiant has released a free scanner script using YARA rules to detect traces of Brickstorm, Bricksteal, and Slaystyle on Linux and BSD appliances. However, Mandiant warns that the tool may not detect all variants, doesn’t identify persistence methods, and cannot confirm device vulnerability status.