Suspected Chinese state-backed hackers have been linked to long-term espionage operations against U.S. organizations in the technology and legal sectors, according to a new report by Google’s Threat Intelligence Group (GTIG).
The attackers used Brickstorm, a Go-based backdoor first documented by Google in April 2024. The malware is highly versatile, acting as a web server, file manipulation tool, dropper, SOCKS relay, and shell command execution tool. GTIG says the malware remained undetected for an average of 393 days, allowing attackers to silently siphon sensitive data.
Brickstorm was deployed on appliances that typically lack endpoint detection and response (EDR) support, such as VMware vCenter and ESXi systems. Once inside, the malware disguised its command-and-control (C2) traffic as legitimate services like Cloudflare and Heroku. Attackers used a malicious Java Servlet Filter called Bricksteal to capture credentials, cloned Windows Server VMs to extract secrets, and enabled SSH on ESXi systems for persistence. Stolen credentials were then leveraged for lateral movement across networks, with email exfiltration via Microsoft Entra ID Enterprise Apps being one of the main objectives.
Researchers attribute the activity to UNC5221, a threat group previously linked to Ivanti zero-day exploits and custom malware such as Spawnant and Zipline. GTIG notes that compromising SaaS providers, BPOs, and technology firms could enable attackers to develop zero-day exploits and extend attacks to downstream victims. Due to the use of anti-forensics scripts and unique malware samples for each operation, the exact initial access vector remains unclear, though experts believe zero-day vulnerabilities in edge devices were likely exploited.
To help defenders, Mandiant has released a free scanner script based on Brickstorm YARA rules for Linux and BSD appliances, along with rules for Bricksteal and Slaystyle. However, the company warns the tool cannot guarantee full detection, does not cover persistence mechanisms, and may miss some variants.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
