Legal Services Companies, Software as a Service (SAAS) Providers, Business Process Outsourcing (BPOs), and the US technology sector are being targeted by suspected Chinese and Nexus cyber espionage groups to provide a known backdoor called the Brickstorm.
Mandiant and Google’s Threat Intelligence Group (GTIG) in a new report shared with Hacker News that UNC5221 and closely related activities caused by China and suspected threat patients are designed to promote sustained access to victim organizations for more than a year.
The aim of Brickstorm targeting SaaS providers is to acquire data that the downstream customer environment or data SaaS provider hosts on behalf of its customers, and targeting US legal and technical fields is being appreciated to steal intellectual property to advance the development of zero-day exparrots as well as seeking to gather information related to national security and international trade.
Brickstorm was first documented last year by Tech Giant in connection with the zero-day exploitation of Ivanti Connect Secure Zero-Day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). It has also been used since at least November 2022 to target the European environment.
A GO-based backdoor, BrickStorm is equipped with the ability to set up as a web server, perform file system and directory operations, upload/download, execute shell commands, and perform file operations that act as a sock relay. Use WebSockets to communicate with your Command and Control (C2) server.
Earlier this year, the US government noted that a threat cluster from the China Alliance was tracked to be tracking that APT27 (aka Emissary Panda) was tracked as overlapping with that of Silk Typhoon, UNC5221, and UTA0178. However, GTIG told Hacker News at the time that there was no sufficient evidence to confirm the links and that it treated them as two clusters.
“These intrusions will be made with a special focus on maintaining long-term stealth access by deploying backdoors to appliances that do not support traditional endpoint detection and response (EDR) tools,” GTIG said, adding that it has responded to several intrusions since March 2025.
“The actors employ lateral movement and data theft methods that generate no telemetry from minimal to no to minimize security telemetry. This, coupled with the fix of the Brickstorm Backdoor, has been left undetected in the victim environment for an average of 393 days.”
In at least one case, threat actors are allegedly exploiting the aforementioned security flaws on Ivanti Connect Secure Edge devices to obtain initial access and drop brick storms on Linux and BSD-based appliances from multiple manufacturers.
There is evidence to suggest that malware is active in development. One sample features a “delay” timer that waits for a number of future hardcoded dates before beginning contact with the C2 server. According to Google, the Brickstorm variant is deployed on internal VMware VCenter servers after a targeted organization launches incident response efforts, indicating the agility of hacking groups to maintain sustainability.
The attack is also characterized by using a malicious Java servlet filter on Apache Tomcat Server called Apache Tomcat Server to capture vCenter credentials for privilege escalation and then using it to clone the Windows Server VMS for the key.
Systems such as domain controllers, SSO identity providers, and secret vaults.
“Normally, installing filters requires modifying the configuration file to restart or reload the application. However, the actors used custom droppers to make the changes completely into memory, making them extremely stealthy and denied the need for a restart,” Google said.
Additionally, by pivoting into the VMware infrastructure and modifying the init.D, rc.local, or SystemD files to ensure that the backdoor automatically starts when the appliance restarts, it is known to leverage valid credentials to lateral moves to pivot into the VMware infrastructure.
The main goal of the campaign is to access emails from key individuals within the victim entity, such as developers, systems administrators, and individuals involved in issues that are consistent with China’s economic and espionage interests. Brickstorm’s Socks Proxy feature is used to create tunnels and directly access applications that are deemed of interest to attackers.
Google has also developed a shell script scanner for potential victims, knowing whether it is affected by BrickStorm activity on Linux and BSD-based appliances and systems, and flagging files that match known signatures of the malware.
“The Brickstorm Campaign represents a critical threat as it focuses on its refinement, evasion of advanced enterprise security defenses, and high-value goals,” said Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, in a statement shared with Hacker News.
“The access obtained by UNC5221 allows them to pivot to downstream customers who compromised SaaS providers and discover zero-day vulnerabilities in enterprise technology, which can be used for future attacks.
Source link
