A long‑running espionage campaign built around the BRICKSTORM backdoor has been quietly compromising US organizations since early 2025. The operators are not smashing systems or deploying ransomware; they are settling in, hiding inside network and virtualization appliances, and silently stealing data for more than a year at a time.
This post focuses on four questions:
- Who is being targeted?
- Who is behind BRICKSTORM?
- When did the attacks happen?
- How do the attacks actually work?
Who Is Being Targeted?
The campaign focuses on US organizations that hold sensitive data or sit in the middle of many other customers:
- Legal services
- Law firms and legal providers involved in national security, international trade, and major corporate matters.
- Software‑as‑a‑Service (SaaS) providers
- Platforms hosting large volumes of customer data and integrations into many downstream environments.
- Business Process Outsourcers (BPOs)
- Service providers that process data and operations for multiple client organizations.
- Technology companies
- Especially those building enterprise software, security tools, or virtualization platforms that could inform zero‑day exploit development.
These targets give the attackers three main advantages:
- Access to sensitive legal and policy information.
- Central “pivot points” into many downstream customers.
- Valuable intellectual property and technical details useful for new exploits.
Who Is Behind the Attacks?
The activity is attributed to UNC5221, a China‑nexus advanced persistent threat (APT) cluster.
Characteristics of UNC5221:
- Likely state‑linked espionage rather than criminal financially‑motivated attacks.
- Skilled at exploiting zero‑day vulnerabilities in network and virtualization appliances.
- Focused on long‑term, low‑noise access, not quick, disruptive operations.
- Uses custom tooling (BRICKSTORM backdoor, BRICKSTEAL credential stealer, SLAYSTYLE web shell) and strong operational security, including unique infrastructure per victim.
The apparent objectives:
- Geopolitical and economic intelligence, especially around US national security and trade.
- Intellectual property theft, including software and exploit‑relevant code.
- Access operations into downstream customers via compromised SaaS and BPO providers.
When Did the Attacks Happen?
- Intrusions in this campaign have been active since at least March 2025.
- The average dwell time is about 393 days:
- In many cases, the attackers remained inside networks for over a year.
- By the time incidents were investigated, initial entry logs were often gone.
This dwell time, plus the focus on rarely monitored appliances, made identifying the initial intrusion vector difficult in many environments.
How the Attacks Work: High‑Level Flow
At a high level, the BRICKSTORM intrusions follow this lifecycle:
- Initial access via edge and remote‑access systems
- Foothold with the BRICKSTORM backdoor on appliances
- Privilege escalation to vCenter, identity, and secret‑management systems
- Lateral movement across virtualization and Windows environments
- Persistence via startup modifications and a web shell
- Mission completion through email, source‑code, and data theft
1. Initial Access: Perimeter and Remote‑Access Systems
Because of the long dwell time, initial entry is not always visible, but patterns are consistent:
- Focus on perimeter / remote‑access infrastructure, such as:
- Firewalls
- VPN gateways
- Other edge or virtualization appliances
- In at least one case, access was gained via a zero‑day vulnerability.
- The group uses post‑exploitation scripts with anti‑forensics features to wipe or obscure traces of the initial compromise.
Goal: gain a foothold on high‑privilege systems that are often outside traditional EDR and logging coverage.
2. Establishing a Foothold: The BRICKSTORM Backdoor
Once inside, the attackers deploy BRICKSTORM, a Go‑based backdoor with built‑in SOCKS proxy functionality.
Key traits:
- Deployed mainly on Linux and BSD‑based appliances, especially:
- VMware vCenter and ESXi hosts
- Neighboring network appliances
- Appliances are attractive because they are often:
- Poorly inventoried
- Not covered by EDR
- Excluded from centralized logging
Stealth techniques:
- Binaries are named and placed to look like legitimate appliance services.
- Some variants are heavily obfuscated and use:
- Custom libraries
- Delay timers that wait months before beaconing to command‑and‑control.
- Command‑and‑control (C2) uses:
- Cloud platforms like Cloudflare Workers and Heroku
- Dynamic DNS tricks (
sslip.io,nip.io) to map domains directly to IPs - Little to no domain reuse between victims
BRICKSTORM becomes both the remote access backdoor and a network tunnel into the environment.
3. Escalating Privileges: vCenter, Credentials, and Secret Vaults
With a stable foothold, the attackers work to capture credentials and control central management systems.
Key techniques:
- BRICKSTEAL servlet filter on vCenter
- Malicious Java Servlet Filter injected into the Apache Tomcat server that runs the vCenter web UI.
- Loaded in memory without config‑file changes or restarts, making it very stealthy.
- Hooks login paths such as
/web/saml2/sso/*. - Decodes HTTP Basic authentication headers to harvest vCenter / Active Directory credentials, often for highly privileged users.
- Abuse of VMware vCenter capabilities
- vCenter manages virtual machines (VMs): cloning, snapshots, etc.
- Attackers use vCenter access to clone sensitive Windows Server VMs, including:
- Domain Controllers
- Identity providers
- Secret‑management servers (e.g., Delinea / Thycotic Secret Server)
- Cloned VMs are never powered on:
- Security tools on those servers never run.
- Attackers simply mount the disks and extract:
ntds.dit(AD database)- Credential vault contents
- Other secrets and configuration data.
- Targeting dedicated secret servers
- Evidence shows use of tools to bulk‑extract and decrypt credentials from Secret Server instances.
This stage gives the attackers broad, long‑term credentials they can reuse throughout the network.
4. Lateral Movement: Through Virtualization into Windows
Using those credentials, the attackers expand their reach.
Common patterns:
- SSH logins to additional appliances using:
- Passwords found in vaults
- Credentials discovered in scripts or configs
- Enabling SSH on vCenter / ESXi via the management interface (VAMI), then installing BRICKSTORM directly.
- Network logons and occasional RDP sessions from appliance IPs into Windows servers and desktops.
- Using BRICKSTORM’s SOCKS proxy to tunnel attacker traffic to:
- Internal web apps
- File servers
- Source‑code repositories
Virtualization infrastructure acts as a central highway for movement across the environment.
5. Persistence: Startup Changes and a Web Shell
To survive reboots and partial remediation, the attackers layer their persistence:
- Modify startup mechanisms on appliances:
init.d,rc.local, orsystemdunit files- Often by editing existing scripts with
sedso BRICKSTORM runs alongside legitimate services.
- Deploy the SLAYSTYLE (BEEFLUSH) JSP web shell on vCenter:
- Accepts commands via HTTP parameters.
- Executes arbitrary OS commands and returns output in the HTTP response.
- Provides a second, covert backdoor independent of the BRICKSTORM binary.
They may also:
- Create temporary local admin accounts on vCenter/ESXi to install BRICKSTORM over SSH, then delete those accounts.
- Maintain multiple BRICKSTORM instances across different appliances to ensure backup access.
In some cases, they even deployed new BRICKSTORM variants after incident response had begun, configured to wake up in the future, indicating close monitoring of defender actions.
6. Completing the Mission: Email, Code, and Data Theft
With stable access and high privileges, the attackers focus on data exfiltration.
Primary targets:
- Email
- Use Microsoft Entra ID Enterprise Applications with
mail.readorfull_access_as_appscopes. - These permissions allow access to any mailbox in the tenant.
- Target mailboxes include:
- Developers and admins
- Legal and executive staff tied to national‑security, trade, or other strategic topics.
- Use Microsoft Entra ID Enterprise Applications with
- Source code and internal repositories
- Log into internal code hosting systems with stolen credentials.
- Download repositories and build artifacts (often as ZIP archives).
- Files and secrets on network shares
- Access Windows UNC paths to reach specific servers and directories.
- Pull configuration files, keys, and other sensitive data.
Exfiltration paths:
- BRICKSTORM’s SOCKS proxy, making traffic look like ordinary HTTPS or VPN traffic from appliances.
- Commercial VPN / proxy services (e.g., popular consumer VPN brands).
- A suspected custom proxy network using compromised home/office routers, adding another layer of obfuscation.
Because infrastructure is frequently rotated and unique per victim, traditional indicator‑based detection is largely ineffective.
Why BRICKSTORM Matters
BRICKSTORM shows how high‑end espionage has evolved:
- The focus is shifting away from endpoints and toward:
- Virtualization control planes
- Network and edge appliances
- Identity and secret‑management systems
- Attackers rely less on reused domains and static malware, and more on:
- Custom, per‑victim infrastructure
- Appliance‑resident backdoors and web shells
- Behavioral patterns that blend into admin activity
- Dwell times of over a year mean that log retention, appliance inventory, and TTP‑based hunting are now critical for defense.
Organizations in legal, SaaS, BPO, and technology sectors—especially those touching national security, trade, or valuable IP—should assume they are priority targets and treat their appliances and virtualization platforms as Tier‑0 assets, not afterthoughts.
Find Out More
For deeper technical details, hunting guidance, and detection content, see:
- Google Cloud / Mandiant analysis of the BRICKSTORM espionage campaign (threat actor lifecycle, technical deep dive, YARA, and hunting guidance)
- SOC Prime BRICKSTORM backdoor detection content (Sigma rules, TTP mapping, and defensive recommendations)
- Dailysecu coverage (Korean) of BRICKSTORM activity (regional context and summary for Korean readers)