Suspected China-linked operators have been observed using a Go-based backdoor dubbed BRICKSTORM in a series of long-running espionage intrusions, according to a new analysis from Google Cloud’s Mandiant unit.
The activity, tracked as UNC5221, has primarily targeted U.S. organizations in the legal, SaaS, business process outsourcing, and technology sectors, with links to earlier compromises in Europe dating back to 2022.
BRICKSTORM targets internet-facing infrastructure, including VMware ESXi and vCenter servers, which often escape routine endpoint monitoring. Once the malware is active, it can proxy network traffic, execute shell commands, modify files, and launch web servers to support ongoing operations. To remain undetected, it employs obfuscation, custom timing delays, and discreet communications through platforms such as Cloudflare Workers and Heroku.
The attackers appear focused on intercepting email exchanges of prominent targets, collecting login details, and duplicating critical virtual machines such as domain controllers and credential storage systems. According to Mandiant, the operators typically rely on undisclosed vulnerabilities in internet-facing appliances to establish entry, with persistence in victim networks often lasting longer than twelve months.
Even though no vendor patch is available for BRICKSTORM, the campaign demonstrates how heavily the operators depend on previously unknown flaws in edge appliances, underscoring the need to maintain strong patching practices across virtualization and remote access systems. To aid defenders, Google has published a purpose-built script that can scan environments for traces of the backdoor.
State-linked hackers are increasingly targeting overlooked infrastructure rather than traditional endpoints, security researchers say. By hiding backdoors in overlooked network appliances, they can linger inside organizations for months, hopping from one system to another without setting off alarms.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
