The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BRICKSTORM Targets U.S. Tech and Legal Sectors with Stealthy Espionage

Oct 3, 2025 3:29:53 PM / by The Hivemind

BRICKSTORM2025Verticals Targeted: Legal Services, Software, Business Services, Technology
Regions Targeted: US
Related Families: BRICKSTEAL, SLAYSTYLE 

Executive Summary

The BRICKSTORM backdoor, attributed to the suspected China-nexus threat cluster UNC5221, has been actively targeting U.S. organizations in the legal, SaaS, BPO, and technology sectors since March 2025, enabling prolonged espionage with an average dwell time of 393 days. This sophisticated malware leverages zero-day exploits and stealthy techniques to maintain persistent access, evade detection, and steal sensitive data, posing significant risks to critical infrastructure.

Key Takeaways

  • BRICKSTORM maintains long-term stealthy access on network appliances, with an average dwell time of 393 days, often evading traditional endpoint detection tools.  
  • The threat actor exploits zero-day vulnerabilities in edge appliances to gain initial access, enhancing their ability to infiltrate high-value targets.  
  • The BRICKSTEAL component captures credentials via a malicious Java Servlet filter on VMware vCenter servers, targeting high-privilege accounts.  
  • The malware uses SOCKS proxy functionality to tunnel data, enabling the theft of intellectual property and sensitive emails, particularly from key personnel.

What is BRICKSTORM?

Since March 2025, the Google Threat Intelligence Group (GTIG) has tracked a sophisticated espionage campaign driven by the BRICKSTORM backdoor, attributed to the UNC5221 threat cluster, which is suspected to have ties to China. This campaign targets U.S. organizations across legal services, Software as a Service (SaaS), Business Process Outsourcing (BPO), and technology sectors, aiming to steal intellectual property and sensitive data to support geopolitical and economic objectives. The malware’s ability to maintain persistent access for an average of 393 days underscores its stealth and the challenges in detecting it.

BRICKSTORM, written in the Go programming language, is designed for cross-platform compatibility, primarily targeting Linux and BSD-based network appliances, including VMware vCenter and ESXi hosts. These devices often lack traditional endpoint detection and response (EDR) tools, making them prime targets for the threat actor. The malware employs SOCKS proxy functionality to facilitate data exfiltration and lateral movement, often using legitimate credentials captured from compromised systems. In one notable instance, UNC5221 exploited a zero-day vulnerability to gain initial access, though specific details of the vulnerability remain undisclosed. Post-exploitation scripts with anti-forensic capabilities further obscure the initial intrusion vector, complicating investigations.

The threat actor’s tactics are highly evasive, with BRICKSTORM samples showing active development, including obfuscation via Garble and the use of a custom `wssoft` library. Some variants include a delay timer that activates months after deployment, ensuring prolonged undetected presence. Command and control (C2) infrastructure leverages Cloudflare Workers, Heroku applications, and dynamic DNS services, with no observed reuse of C2 domains across victims, enhancing operational security.

A key component of the campaign is BRICKSTEAL, a malicious Java Servlet filter deployed on VMware vCenter’s Apache Tomcat server. This filter captures credentials from HTTP Basic authentication headers on vCenter web login URIs, potentially exposing high-privilege Active Directory accounts. Additionally, the SLAYSTYLE web shell, a JavaServer Pages (JSP) backdoor, enables the execution of arbitrary commands, further facilitating persistence. The threat actor often targets sensitive systems like domain controllers and credential vaults, cloning virtual machines to extract files such as the Active Directory database without triggering security tools.

Lateral movement is achieved using compromised credentials, often sourced from password vaults or PowerShell scripts, to access systems like Delinea Secret Server. The threat actor modifies startup scripts to ensure BRICKSTORM’s persistence across reboots. Data exfiltration focuses on intellectual property from code repositories and emails from key personnel, accessed via Microsoft Entra ID Enterprise Applications with `mail.read` or `full_access_as_app` scopes.

IOCs

PolySwarm has multiple samples associated with this activity.

 

aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878

2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df

90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035

 

You can use the following CLI command to search for all BRICKSTORM samples in our portal:

$ polyswarm link list -f BRICKSTORM

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Evolving Threat, credential theft, SonicWall VPN, Ransomware Campaign, Akira Ransomware, CVE-2024-40766, SSL VPN, multi-factor authentication

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More