China Espionage Threat: BRICKSTORM Malware Targets Tech and Legal Sectors

BRICKSTORM malware China espionage cybersecurity threats UNC5221 Zero-Trust architecture malware analysis data exfiltration
Jim Gagnard
Jim Gagnard

Board Advisor

 
December 5, 2025 4 min read
China Espionage Threat: BRICKSTORM Malware Targets Tech and Legal Sectors

TL;DR

This article delves into a sophisticated China-linked espionage campaign utilizing the BRICKSTORM backdoor. It details how attackers achieve persistent access, target legal, SaaS, and tech firms, and exfiltrate sensitive data. The analysis covers BRICKSTORM's technical capabilities, including its SOCKS proxy functionality and evasion tactics, and provides crucial recommendations for organizations to detect and defend against such advanced threats.

China-Linked Espionage Campaign Leverages BRICKSTORM Malware

A sophisticated, suspected China-nexus espionage campaign is utilizing the BRICKSTORM backdoor to maintain persistent access to victim organizations in the United States. The Google Threat Intelligence Group (GTIG) has been tracking this activity, attributing it to UNC5221, a group known for exploiting zero-day vulnerabilities.

The campaign's targets include legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and technology firms. According to Mandiant, the value of these targets extends beyond typical espionage, potentially providing data for zero-day exploit development and broader access to downstream victims.

BRICKSTORM Backdoor Details

BRICKSTORM is a Go-based backdoor that has been observed maintaining persistence in victim organizations since March 2025. It features SOCKS proxy functionality and cross-platform support, enabling deployment on appliances that lack traditional endpoint detection and response (EDR) tools. The malware can act as a web server, manipulate the file system, upload/download files, execute shell commands, and perform SOCKS proxy relaying, relying on WebSockets for command and control (C2) communications.

Mandiant reports that BRICKSTORM intrusions often go undetected for an average of 393 days, obscuring the initial attack vector. The attackers focus on compromising perimeter and remote access systems, sometimes exploiting zero-day vulnerabilities. Notably, BRICKSTORM deployments are often designed to blend in with the target appliance, mimicking legitimate activity.

Technical Analysis of BRICKSTORM

Analysis of samples recovered from different victim organizations indicates active development of BRICKSTORM. Some samples are obfuscated using Garble, and some carry a new version of the custom wssoft library. One sample included a "delay" timer, waiting for a hard-coded date months in the future before beaconing to the C2 domain.

The threat actor has also created a web shell, tracked as SLAYSTYLE, on vCenter servers. SLAYSTYLE, also known as BEEFLUSH , is a JavaServer Pages (JSP) web shell that functions as a backdoor, designed to receive and execute arbitrary operating system commands passed through an HTTP request.

Escalating Privileges and Lateral Movement

In one investigation, Mandiant analyzed a vCenter server and found that the threat actor installed a malicious Java Servlet filter, tracked as BRICKSTEAL, for the Apache Tomcat server. BRICKSTEAL runs on HTTP requests to the vCenter web login Uniform Resource Indicators (URIs) /web/saml2/sso/*. If present, it decodes the HTTP Basic authentication header, potentially capturing usernames and passwords.

The attackers also used legitimate admin accounts to move laterally, accessing systems like Delinea (formerly Thycotic) Secret Server to dump and decrypt stored credentials. They installed BRICKSTORM on appliances by enabling SSH via VAMI, then ensured persistence by editing startup scripts.

Mission Objectives and Data Exfiltration

The primary goal of the attacks is the exfiltration of emails. Attackers make use of Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes to access email mailboxes of interest. According to Google's report, the threat actor targets mailboxes of developers, system administrators, and individuals involved in matters aligning with PRC economic and espionage interests.

Asset inventory
Image courtesy of Google Cloud Blog

When exfiltrating files, the attackers use the SOCKS proxy feature of BRICKSTORM to tunnel their workstation and directly access systems and web applications of interest.

Gopher Security: Protecting Against Advanced Threats

In light of these sophisticated threats, Gopher Security offers an AI-powered, post-quantum Zero-Trust cybersecurity architecture designed to protect organizations from advanced persistent threats like BRICKSTORM. Our platform converges networking and security across all environments, using peer-to-peer encrypted tunnels and quantum-resistant cryptography.

The Gopher Security platform is uniquely positioned to defend against threats that target edge devices and cloud infrastructure, providing:

  • AI-Powered Threat Detection: Advanced AI algorithms to identify and neutralize threats in real-time.
  • Zero-Trust Architecture: Ensures that every device, user, and application is authenticated and authorized before accessing resources.
  • Post-Quantum Cryptography: Protects data against current and future quantum computing threats.
  • Comprehensive Visibility: Provides a unified view of network activity, enabling proactive threat hunting and incident response.

Recommendations

Mandiant recommends organizations conduct thorough threat hunts to detect BRICKSTORM and related activities. Key steps include:

  1. Create or update asset inventory: Include edge devices and appliances.
  2. File and backup scan: Scan for BRICKSTORM using YARA rules.
  3. Monitor internet traffic: Analyze traffic from edge devices and appliances for suspicious activity.
  4. Review access to Windows systems: Investigate connections from appliances to Windows servers and desktops.
  5. Analyze access to credentials and secrets: Use forensic tools to identify suspicious activity related to credential access.
  6. Monitor access to M365 mailboxes: Look for unauthorized access via Enterprise Applications.
  7. Investigate cloning of sensitive virtual machines: Review vSphere VPXD logs for suspicious cloning activity.
  8. Monitor creation of local vCenter and ESXi accounts: Review VMware audit events for unauthorized account creation.
  9. Detect rogue VMs: Identify unauthorized virtual machines in VMware environments.

To proactively defend against sophisticated espionage campaigns, organizations should consider implementing a Zero-Trust architecture with post-quantum cryptography. Gopher Security provides the tools and expertise needed to enhance your cybersecurity posture and protect against emerging threats.

Call to Action

Enhance your organization's cybersecurity with Gopher Security's AI-powered, post-quantum Zero-Trust architecture. Contact us today to learn how we can help you protect against advanced threats like BRICKSTORM.

Jim Gagnard
Jim Gagnard

Board Advisor

 

30-year CEO experiences of leading multiple $MM exits. Excellent operator of managing big enterprise companies.

Related News

Critical RCE Vulnerabilities in React and Next.js Expose Millions
React security

Critical RCE Vulnerabilities in React and Next.js Expose Millions

React & Next.js hit by critical RCE flaws! Learn about CVE-2025-55182, CVE-2025-66478, and CVE-2025-11953. Patch immediately to protect your applications. Read more!

By Divyansh Ingle December 4, 2025 3 min read
Read full article
Combating Cyber Threats: Harnessing AI for Effective Defense
AI cybersecurity

Combating Cyber Threats: Harnessing AI for Effective Defense

Cyberattackers are leveraging AI for sophisticated threats. Discover how to defend your organization with AI-driven strategies and tools. Learn more at Gopher Security.

By Alan V Gutnov December 3, 2025 7 min read
Read full article
Google Patches 120 Android Vulnerabilities, 2 Zero-Days Fixed
Android security updates

Google Patches 120 Android Vulnerabilities, 2 Zero-Days Fixed

Google's latest Android security updates tackle critical vulnerabilities and actively exploited zero-days. Ensure your device is protected! Learn more.

By Alan V Gutnov December 2, 2025 2 min read
Read full article
Massive Password Breach: 1.3 Billion Credentials Exposed Online
password breach

Massive Password Breach: 1.3 Billion Credentials Exposed Online

A massive breach exposed 1.3B passwords. Learn how to check if you're affected and secure your accounts. Don't reuse passwords! Visit Gopher Security for advanced protection.

By Edward Zhou December 1, 2025 2 min read
Read full article