Google researchers report that suspected Chinese hackers used the Brickstorm malware in espionage operations targeting U.S. organizations in the technology and legal sectors. The attackers remained hidden in the compromised companies’ networks for about 400 days.
Brickstorm is a backdoor written in Go, first observed by Google in April 2024. At that time, China-linked cyberattacks were discovered that spread via various edge devices and remained undetected in victims’ environments for an average of more than a year.
This malware functioned as a web server, a file manipulation tool, a dropper, a SOCKS relay, and a shell command execution tool.
According to experts from the Google Threat Intelligence Group (GTIG), the attackers used Brickstorm to covertly exfiltrate data from victims’ networks and, on average, remained in the compromised companies’ infrastructure for 393 days before being detected.
Researchers report that unnamed companies in the legal and technology sectors, SaaS solution providers, as well as BPO providers, have been targeted. Google believes that compromising such organizations could help attackers develop zero-day exploits and expand attacks against downstream victims (especially if they are not protected by EDR solutions).
Experts attribute this activity to a cluster codenamed UNC5221, known for the exploitation of a zero-day vulnerability in Ivanti products and for attacks on government agencies using the custom malware Spawnant and Zipline.
Because the UNC5221 operators spent an extended period in victims’ systems and used anti-forensic scripts to conceal their intrusion methods, GTIG analysts could not confidently determine the initial access vector, but it is assumed that the hackers exploited a 0-day in perimeter devices.
Brickstorm is deployed on devices not protected by EDR, including VMware vCenter/ESXi endpoints, where it establishes command-and-control communications that masquerade as traffic from Cloudflare, Heroku, and other legitimate services.
The attackers then attempted to escalate privileges by using a malicious Java Servlet Filter (Bricksteal) on vCenter to intercept credentials, as well as by cloning a Windows Server VM to extract secrets.
The stolen credentials were then used for lateral movement and persistence within the systems (enabling SSH on ESXi and modifying init.d and systemd startup scripts).
The primary goal of Brickstorm was to steal email via Microsoft Entra ID Enterprise Apps, and to conceal their activity the hackers used SOCKS proxies to tunnel into internal systems and repositories.
Google’s observations show that the UNC5221 group was mainly focused on developers, administrators, and individuals linked to China’s economic and defense interests.
Upon completion of the operation, the malware was deleted to hinder analysis. The investigation was also complicated by the fact that UNC5221 never reuses the same C2 domains or malware samples.
To help defenders, Mandiant researchers released a free scanner script that uses a YARA rule to detect Brickstorm on Linux and BSD devices. YARA rules for Bricksteal and Slaystyle are also included in the researchers’ report.
At the same time, Mandiant warns that this scanner may not detect all Brickstorm variants and does not guarantee 100% detection of compromise, does not address persistence mechanisms in the system, and does not alert about vulnerable devices.