Verticals Targeted: Legal Services, Software, Business Services, Technology
Regions Targeted: US
Related Families: BRICKSTEAL, SLAYSTYLE
Executive Summary
The BRICKSTORM backdoor, attributed to the suspected China-nexus threat cluster UNC5221, has been actively targeting U.S. organizations in the legal, SaaS, BPO, and technology sectors since March 2025, enabling prolonged espionage with an average dwell time of 393 days. This sophisticated malware leverages zero-day exploits and stealthy techniques to maintain persistent access, evade detection, and steal sensitive data, posing significant risks to critical infrastructure.
Key Takeaways
- BRICKSTORM maintains long-term stealthy access on network appliances, with an average dwell time of 393 days, often evading traditional endpoint detection tools.
- The threat actor exploits zero-day vulnerabilities in edge appliances to gain initial access, enhancing their ability to infiltrate high-value targets.
- The BRICKSTEAL component captures credentials via a malicious Java Servlet filter on VMware vCenter servers, targeting high-privilege accounts.
- The malware uses SOCKS proxy functionality to tunnel data, enabling the theft of intellectual property and sensitive emails, particularly from key personnel.
What is BRICKSTORM?
Since March 2025, the Google Threat Intelligence Group (GTIG) has tracked a sophisticated espionage campaign driven by the BRICKSTORM backdoor, attributed to the UNC5221 threat cluster, which is suspected to have ties to China. This campaign targets U.S. organizations across legal services, Software as a Service (SaaS), Business Process Outsourcing (BPO), and technology sectors, aiming to steal intellectual property and sensitive data to support geopolitical and economic objectives. The malware’s ability to maintain persistent access for an average of 393 days underscores its stealth and the challenges in detecting it.
BRICKSTORM, written in the Go programming language, is designed for cross-platform compatibility, primarily targeting Linux and BSD-based network appliances, including VMware vCenter and ESXi hosts. These devices often lack traditional endpoint detection and response (EDR) tools, making them prime targets for the threat actor. The malware employs SOCKS proxy functionality to facilitate data exfiltration and lateral movement, often using legitimate credentials captured from compromised systems. In one notable instance, UNC5221 exploited a zero-day vulnerability to gain initial access, though specific details of the vulnerability remain undisclosed. Post-exploitation scripts with anti-forensic capabilities further obscure the initial intrusion vector, complicating investigations.
The threat actor’s tactics are highly evasive, with BRICKSTORM samples showing active development, including obfuscation via Garble and the use of a custom `wssoft` library. Some variants include a delay timer that activates months after deployment, ensuring prolonged undetected presence. Command and control (C2) infrastructure leverages Cloudflare Workers, Heroku applications, and dynamic DNS services, with no observed reuse of C2 domains across victims, enhancing operational security.
A key component of the campaign is BRICKSTEAL, a malicious Java Servlet filter deployed on VMware vCenter’s Apache Tomcat server. This filter captures credentials from HTTP Basic authentication headers on vCenter web login URIs, potentially exposing high-privilege Active Directory accounts. Additionally, the SLAYSTYLE web shell, a JavaServer Pages (JSP) backdoor, enables the execution of arbitrary commands, further facilitating persistence. The threat actor often targets sensitive systems like domain controllers and credential vaults, cloning virtual machines to extract files such as the Active Directory database without triggering security tools.
Lateral movement is achieved using compromised credentials, often sourced from password vaults or PowerShell scripts, to access systems like Delinea Secret Server. The threat actor modifies startup scripts to ensure BRICKSTORM’s persistence across reboots. Data exfiltration focuses on intellectual property from code repositories and emails from key personnel, accessed via Microsoft Entra ID Enterprise Applications with `mail.read` or `full_access_as_app` scopes.
IOCs
PolySwarm has multiple samples associated with this activity.
aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
You can use the following CLI command to search for all BRICKSTORM samples in our portal:
$ polyswarm link list -f BRICKSTORM
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.