Hackers Deploy Brickstorm Malware Against U.S. Technology and Legal Organizations
Google specialists report that suspected Chinese hackers have used the Brickstorm malware in espionage operations targeting American organizations in the technology and legal sectors. The attackers remained hidden in victim networks for roughly 400 days before being discovered.
The Malware: Brickstorm
Brickstorm is a backdoor written in Go, first observed by Google in April 2024. At that time, analysts uncovered China-linked intrusions spreading through edge devices and persisting undetected for more than a year on average.
The malware functions as:
- a web server
- a file manipulation tool
- a dropper for additional payloads
- a SOCKS relay
- a shell command execution tool
According to Google’s Threat Intelligence Group (GTIG), Brickstorm was used to exfiltrate sensitive data while maintaining access to compromised networks for an average of 393 days.
Targets and Motives
Researchers identified unnamed victims in the legal and technology sectors, along with SaaS solution providers and business process outsourcing (BPO) firms. Google believes these compromises provided attackers with opportunities to develop zero-day exploits and expand downstream attacks—particularly against organizations lacking endpoint detection and response (EDR) solutions.
This activity has been attributed to the cluster UNC5221, a group previously linked to:
- exploitation of zero-day vulnerabilities in Ivanti products
- custom malware families Spawnant and Zipline
- targeting of government agencies
Tactics and Intrusion Methods
UNC5221 operators are known for long dwell times and the use of anti-forensic scripts, making it difficult for analysts to determine the initial access vector. It is suspected that a zero-day in edge devices was exploited.
Once deployed, Brickstorm established command-and-control (C2) communication disguised as traffic from legitimate services such as Cloudflare and Heroku. Key tactics included:
- Deploying on VMware vCenter/ESXi endpoints without EDR protection
- Using a malicious Java Servlet Filter (Bricksteal) on vCenter to intercept credentials
- Cloning Windows Server VMs to extract secrets
- Enabling SSH on ESXi and modifying init.d/systemd startup scripts for persistence
Credential Theft and Data Exfiltration
The attackers used stolen credentials for lateral movement across networks. Their primary goal was to steal email via Microsoft Entra ID Enterprise Apps. To evade detection, they tunneled into internal systems and repositories through a SOCKS proxy.
Google’s observations indicate that the group focused on developers, administrators, and individuals tied to China’s economic and defense interests.
Covering Tracks and Countermeasures
Upon completion of their operations, UNC5221 deleted malware to hinder forensic analysis. Investigators noted that the group never reuses C2 server domains or malware samples, further complicating detection and attribution.
To assist defenders, Mandiant has released a free scanner script using YARA rules to search for Brickstorm on Linux and BSD devices. The package also includes rules for related malware families Bricksteal and Slaystyle.
However, Mandiant warns that the tool:
- may not detect all Brickstorm variants
- does not guarantee confirmation of compromise
- does not address persistence mechanisms
- does not alert defenders about vulnerable devices
