A hacking group linked to China has been using the sophisticated BRICKSTORM malware to conduct espionage against U.S. technology and legal firms, stealing data and remaining undetected for over a year, Google warns. Google Threat Intelligence Group (GTIG) linked the activity to the Chinese state-nexus group UNC5221, a known threat actor that often uses zero-day vulnerabilities.
The BRICKSTORM backdoor, a Go-based tool first spotted in March 2025, was utilized to maintain long-term persistence across various U.S. organizations, including legal firms, Software as a Service (SaaS) providers, and other technology companies. The malware is powerful, capable of acting as a web server, manipulating files, executing shell commands, and performing SOCKS proxy relaying for command and control (C2) communications over WebSockets. Mandiant noted that the average intrusion goes undetected for more than a year, making it difficult to pinpoint the initial attack vector, though evidence points to exploiting perimeter and remote access systems.
The attackers employed highly stealthy tactics in their latest wave of intrusions. They deployed a memory-resident Java Servlet filter called BRICKSTEAL on VMware vCenter servers. This tool intercepted HTTP Basic authentication, allowing the hackers to steal high-privilege credentials. With these credentials, they moved laterally, cloning critical Windows Virtual Machines (VMs) like Domain Controllers. They then mounted these cloned VMs offline to extract sensitive files, such as ntds.dit. The threat actors used legitimate admin accounts to access systems like Delinea Secret Server to dump and decrypt stored credentials. They achieved persistence by installing BRICKSTORM on appliances and deploying a JSP web shell called SLAYSTYLE.
The ultimate goal of the BRICKSTORM campaign is the exfiltration of emails from key individuals. The threat actors focus on the mailboxes of developers, system administrators, and staff involved in matters aligned with China's economic and espionage interests. To access these emails, the hackers leverage Microsoft Entra ID Enterprise Applications with high-level permissions like mail.read or full_access_as_app. Following their operations, UNC5221 employs high operational security, removing malware and rotating C2 domains to thwart forensic efforts. Google notes they have not observed the reuse of C2 domains or malware samples across investigations, which quickly renders indicators of compromise (IOCs) useless.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
