BRICKSTORM Malware: China-Linked Hackers Stealthily Target US Tech and Legal Firms for 393 Days
Ddos 
Google Threat Intelligence Group (GTIG) and Mandiant Consulting have released new findings on BRICKSTORM, a backdoor malware campaign linked to suspected China-nexus threat clusters. Active since at least March 2025, BRICKSTORM has targeted a broad range of industries in the United States, including legal services, SaaS providers, business process outsourcers (BPOs), and technology firms.
According to GTIG, “the value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.”
BRICKSTORM is written in Go and designed for cross-platform deployment, making it well-suited for targeting appliances that lack traditional endpoint detection and response (EDR) tools. These appliances often sit at the edge of networks, are poorly inventoried, and fall outside standard security monitoring.
The malware is highly evasive: “This, coupled with modifications to the BRICKSTORM backdoor, has enabled them to remain undetected in victim environments for 393 days, on average.”
Variants have been found on Linux and BSD-based systems, with consistent focus on VMware vCenter and ESXi hosts. In some cases, attackers used valid credentials captured from compromised appliances to move laterally into VMware environments.
GTIG attributes BRICKSTORM activity to UNC5221, which has been publicly linked with Silk Typhoon but is now assessed as a distinct cluster. The group employs sophisticated tradecraft, including:
- Delayed beaconing: Some BRICKSTORM samples contain timers that wait months before contacting command-and-control servers, bypassing initial detection.
- Masquerading: Malware naming conventions and functionality mimic legitimate system processes to blend in.
- Cloud-based C2: Attackers leveraged Cloudflare Workers, Heroku apps, sslip.io, and nip.io for command-and-control infrastructure.
- Credential theft: A related tool, BRICKSTEAL, was used to capture credentials from VMware vCenter logins by installing a malicious in-memory Java Servlet filter.
The ultimate goal goes beyond persistence. In some cases, attackers cloned domain controller and password vault virtual machines to extract sensitive databases like ntds.dit, enabling large-scale credential theft.
GTIG assesses that BRICKSTORM operations are designed for long-term espionage and IP theft. “Recent intrusion operations tied to BRICKSTORM likely represent an array of objectives ranging from geopolitical espionage, access operations, and intellectual property (IP) theft to enable exploit development.”
Legal sector targeting appears aimed at national security and international trade data, while SaaS providers are viewed as gateways to downstream customer environments. Technology companies, meanwhile, are attractive for their valuable intellectual property, which could be repurposed to advance the development of zero-day exploits.
Related Posts:
- BRICKSTORM Backdoor Targets European Industries
- Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
- DPRK IT Workers: A Global Threat Expanding in Scope and Scale
- Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
- Rogue RDP: Abusing RDP for File Theft and Espionage
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
