By rssfeeds-admin 
The BRICKSTORM backdoor, operated by the China-nexus threat actor UNC5221, has maintained persistent access to victim networks for an average of 393 days while evading traditional security tools.
Google Threat Intelligence Group (GTIG) and Mandiant have been tracking this highly evasive campaign since March 2025, with investigations revealing intrusions across multiple industry verticals, including legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and technology companies.
The strategic value of these targets extends beyond conventional espionage operations, potentially providing attackers with data to develop zero-day exploits and establish pivot points for broader downstream compromises.
Advanced Stealth Techniques Target Network Appliances
The BRICKSTORM malware demonstrates sophisticated technical capabilities explicitly designed to evade detection by traditional endpoint security solutions.
Written in Go programming language for cross-platform compatibility, the backdoor includes SOCKS proxy functionality and targets network appliances that typically lack endpoint detection and response (EDR) tool coverage.
Mandiant’s forensic analysis has identified BRICKSTORM deployments on Linux and BSD-based appliances from multiple manufacturers, with threat actors consistently targeting VMware vCenter and ESXi hosts.
The malware employs advanced anti-forensics capabilities, including post-exploitation scripts designed to obscure initial entry vectors and modify legitimate startup scripts using the sed command-line utility to ensure persistence across system reboots.
Recent samples indicate active development, with some variants employing Garble obfuscation and incorporating custom WS-Soft libraries.
One particularly sophisticated sample contained a built-in delay timer that waited for a hard-coded future date before initiating command and control communications, demonstrating the threat actor’s long-term operational planning capabilities.
Multi-Stage Attack Chain Targets Critical Infrastructure
The attack methodology follows a systematic approach, beginning with the exploitation of perimeter infrastructure, including at least one confirmed zero-day vulnerability.
UNC5221 maintains persistence by deploying backdoors on appliances excluded from centralized security logging solutions, using valid credentials captured through malware running on network appliances to move laterally to VMware virtualization platforms.
The threat actor deploys a malicious Java Servlet filter tracked as BRICKSTEAL on vCenter servers, which captures authentication credentials from HTTP requests to vCenter web login interfaces.
This capability is particularly dangerous as many organizations use Active Directory authentication for vCenter access, potentially exposing high-privilege enterprise credentials.
In multiple investigations, attackers used vCenter access to clone Windows Server virtual machines containing critical systems such as Domain Controllers, SSO Identity Providers, and secret vaults.
This technique enables threat actors to extract sensitive files, such as the Active Directory Domain Services database (ntds.dit), without triggering security tools, as the cloned systems are never powered on.
The campaign’s sophistication extends to data exfiltration methods, with attackers using BRICKSTORM’s SOCKS proxy feature to tunnel workstation access and directly interact with internal systems.
The threat actors targeted email mailboxes of key personnel using Microsoft Entra ID Enterprise Applications with email.
Read or full_access_as_app scopes, focusing on developers, system administrators, and individuals involved in matters aligning with PRC economic and espionage interests.
To aid organizations in detecting this threat, Mandiant has released a specialized scanner script that can run on *nix-based appliances without requiring YARA installation, along with comprehensive hunting guidance focused on TTP-based detection methodologies rather than traditional signature-based approaches.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post New BRICKSTORM Campaign Uses Stealth Backdoor Against Tech and Law appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.