Cybersecurity, News

Brickstorm Backdoor Used Espionage Campaign Against U.S. Tech

Google reports Chinese hackers used Brickstorm malware to infiltrate U.S. tech and legal sectors for over a year, exfiltrating data while bypassing traditional security defenses.

Mitchell Langley
September 25, 2025

Table of Contents

Add a header to begin generating the table of contents

Campaign Timeline and Attribution

Google’s Threat Intelligence Group and Mandiant report that the BRICKSTORM backdoor has been used since at least March 2025 to maintain long-term, stealthy access in U.S. technology, legal, SaaS and BPO environments. The activity cluster tracked as UNC5221 is linked to these intrusions and has a history of exploiting edge-device zero-days (including Ivanti flaws) to gain initial access. See the full GTIG write-up for background and Mandiant’s operational scope. [Mandiant BRICKSTORM scanner repository]

“The BRICKSTORM campaign represents a significant threat due to its sophistication, evasion of advanced enterprise security defenses, and focus on high-value targets.” — Charles Carmakal, Mandiant / practitioner analysis.

Technical Breakdown — Malware Capabilities

Architecture & capabilities. BRICKSTORM is a Go-based backdoor tailored for Linux/BSD appliances and virtual-infrastructure endpoints (notably VMware ESXi/vCenter). It provides a modular capability set: an embedded HTTP server for C2, file management (upload/download), a SOCKS proxy for tunneling, dropper behavior to stage additional binaries, and arbitrary shell execution. GTIG observed average dwell times around 393 days, indicating exceptional stealth and careful operational tradecraft.

Initial access & likely vectors. Because many victims are edge appliances that lack EDR coverage, UNC5221 frequently leverages zero-day exploits in perimeter devices (Ivanti and other appliances) or compromises vendor supply-chains to reach targets. GTIG could not always reconstruct the initial access path due to anti-forensics and long dwell times, but exploitation of exposed management endpoints is the leading hypothesis.

Evasion and C2 masquerading. BRICKSTORM disguises its C2 traffic as legitimate services by resolving domains over DoH (DNS over HTTPS) and impersonating Cloudflare/Heroku (or similar) patterns to blend in with normal traffic. Operators frequently avoid reuse of C2 domains and rotate samples per victim to complicate detection and attribution. [Technical notes & NVISO / Mandiant reports]

Privilege escalation and credential harvesting. On vCenter/ESXi victims, UNC5221 has deployed a malicious Java Servlet Filter (tracked as Bricksteal) to intercept credentials, cloned Windows Server VMs to extract secrets, enabled SSH on ESXi hosts, and modified init.d/systemd startup scripts to maintain persistence. After harvesting credentials, attackers use the BRICKSTORM SOCKS relay to tunnel into internal developer, admin, and code-repo systems—then exfiltrate email and source code via Microsoft Entra ID Enterprise Apps flows.

Detection, Hunting and Remediation — Tactical Playbook (commands, YARA, queries)

Below are defensive artifacts and actions you can drop into SOC playbooks immediately.

1) Quick reconnaissance checks (ESXi / vCenter)

Detect unexpected SSH enablement on ESXi hosts (run on management network or via centralized asset scanner):

# Check SSH status on an ESXi host (run from management server)
ssh root@ESXi-HOST 'systemctl status sshd || /sbin/chkconfig --list | grep sshd'

Search vCenter for unexpected Java filters or recent WAR/JAR uploads:

# Using PowerCLI to list recent vCenter webapp file changes (example)
Connect-VIServer -Server vcenter.example.com -User admin@vsphere.local -Password '***'
Get-View -ViewType VirtualMachine | % {
  $_.Guest.FileManager.ListDirectory('/usr/lib/vmware-vpx/').Files | 
  Where-Object {$_.ModifyTime -gt (Get-Date).AddDays(-30)}
}

2) Network and DoH telemetry (hunt for DoH-to-C2 patterns)

BRICKSTORM uses DoH and masquerading. Hunt for anomalies (example Splunk/ELK pseudo queries):

# Example Splunk-like query for suspicious DoH outbound traffic
index=netflow sourcetype=dns OR sourcetype=http
| search uri_path="dns-query" OR uri_path="resolve" OR dns_qry_type="HTTPS"
| stats count by src_ip, dest_host
| where count > 100

Block or closely inspect TLS connections to suspicious hosts that mimic Cloudflare/Heroku naming patterns but are recently registered or hosted in unusual ASNs.

3) YARA and Filesystem Indicators (use Mandiant scanner + YARA)

Mandiant published a convenience scanner (replicating YARA logic) to detect BRICKSTORM-like artifacts on systems where YARA isn’t feasible. Pull and run the scanner from their repo, then validate with YARA if possible. [Mandiant Brickstorm scanner on GitHub]

Example simplified YARA rule pattern (illustrative — tune in test lab):

rule BRICKSTORM_Generic
{
  meta:
    author = "SOC-Team"
    description = "Detect BRICKSTORM-like Go backdoor artifacts (heuristic)"
  strings:
    $s1 = "brickstorm" nocase
    $s2 = "socks" fullword
    $s3 = "Cloudflare" ascii
  condition:
    (uint16(0) == 0x5a4d and ($s1 or $s2)) or ($s3 and filesize < 20000000)
}

Important: rely on the official Mandiant YARA and test in lab before deploying enterprise-wide — Mandiant warns their scanner may not detect all variants.

4) EDR/Log Detections and Sigma Examples

Sigma rule concept to detect suspicious process patterns that spawn curl to unknown DoH endpoints or run embedded HTTP servers:

title: Process Creating HTTP Server on Appliance
detection:
  selection:
    Image|endswith: ['bin/brickstorm', '/usr/sbin/brk', '/tmp/*']
    CommandLine|contains_any: ['--listen', '--socks', '--c2', 'dns-query']
  condition: selection
level: critical

5) Containment and Eradication Checklist

Isolate affected appliances physically or at the network edge; avoid remote remediation that could trigger data destruction.
Capture forensic images of memory and disk (preserve init.d / systemd script modifications and recent vCenter uploads).
Rotate credentials harvested from compromised VMs and vCenter—especially service accounts, API keys, and SSO/OAuth secrets.
Rebuild VMs from trusted golden images rather than in-place cleanup when ESXi/vCenter is compromised; attackers have been observed cloning VMs to extract secrets.
Review Entra ID / Enterprise App consents and revoke suspicious app registrations and service principals used for exfiltration.

Comparative Incidents and Strategic Risk

BRICKSTORM represents an evolution of the “upstream” compromise model: attackers now target appliances and service providers (edge devices, BPOs, SaaS providers) to get broad downstream visibility—similar in strategic intent to the SolarWinds compromise but relying on persistent stealth rather than supply-chain trojanization. Prior UNC clusters exploited Ivanti zero-days and other appliance flaws to gain footholds, and GTIG/Mandiant link BRICKSTORM activity to that historical pattern.

The sector focus (legal, SaaS, BPOs, developer tooling) suggests adversary interest in source code, legal strategy, vulnerability discovery, and zero-day development—high-value intel that can be repurposed to develop new exploits or to attack govt/industry targets.

Risk Implications and Regulatory Considerations

Operational secrecy vs. risk window. Long dwell times (median ~393 days) mean data exfiltration can be extensive before detection; companies should treat this as high-impact espionage, not a typical commodity ransomware incident. Regulatory fallout may involve data-protection authorities and contractual investigations by downstream clients if client data or privileged communications were accessed.

Insurance and legal exposure. BPOs and SaaS firms providing services to critical clients must prepare for contractual liability, class actions, and insurance claims—especially if secret client data or source code is proven exfiltrated.

Executive Recommendations and Long-Term Mitigations

Inventory blind spots: create an asset inventory that includes appliances, appliance virtual machines (vCenter/ESXi), network gear, and management consoles. Ensure these are monitored by network IDS/DoH telemetry even if EDR cannot be installed.
Zero-trust network segmentation: enforce strict segmentation between management planes (vCenter/ESXi) and production workloads; limit management interfaces to jump boxes with MFA and session recording.
Endpoint coverage alternatives: where EDR cannot run, deploy network-based anomaly detection and periodic image YARA scans (using the Mandiant scanner) on appliances. [Mandiant scanner repo] (GitHub)
Harden supply-chain and vendor SLAs: require vendors to report intrusions promptly, perform firmware integrity checks, and support out-of-band verification of patches.
Proactive hunting cadence: schedule quarterly hunts for DoH anomalies, unusual SSH enablement on appliance hosts, and signs of VM cloning or unexplained snapshot activity.

What to Watch Next

Release of additional Mandiant YARA rules and scanner updates to cover new BRICKSTORM variants.
Public disclosure of specific zero-day vectors (Ivanti or other appliance CVEs) that UNC5221 exploited—patch management and emergency mitigations will follow.
Evidence of downstream abuse (zero-day development, targeted supply-chain attacks) that leverages exfiltrated code or privileged communications.

Trending

Daily Briefing Newsletter

Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.