Pierluigi Paganini
September 26, 2025
Google Threat Intelligence Group (GTIG) observed the use of the Go-based backdoor BRICKSTORM to maintain persistence in U.S. organizations since March 2025. Targets include legal, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology firms. Mandiant linked the activity to China-nexus APT UNC5221, a group known for the exploitation of zero-days for espionage and broader access.
The backdoor was first detailed by Google in April 2024, it was employed in multiple attacks that remained undetected more than a year, on average. BRICKSTORM can act as a web server, manipulate the file system, upload/download files, execute shell commands, and perform SOCKS proxy relaying. The malware relies on WebSockets for C2 communications.
Mandiant reports BRICKSTORM intrusions often go undetected for over a year, obscuring the initial attack vector. Evidence suggests focus on exploiting perimeter and remote access systems, sometimes by exploiting zero-day vulnerabilities. The Go-based backdoor, seen on Linux and BSD appliances, enables SOCKS proxy use and lateral movement to VMware vCenter/ESXi with stolen credentials. BRICKSTORM shows active development and obfuscation. The researchers warn that the backdoor uses stealth tactics like delayed beaconing, mimicking legitimate processes, and rotating C2 domains via Cloudflare, Heroku, and dynamic DNS.
In the latest wave of attacks, the attackers deployed a stealthy in-memory Java Servlet filter, tracked as BRICKSTEAL, on vCenter to intercept HTTP Basic authentication and steal high-privilege credentials. With these credentials, they cloned critical Windows VMs like Domain Controllers and vault servers, mounted them offline, and extracted sensitive files such as ntds.dit. The actors used legitimate admin accounts to move laterally, accessing systems like Delinea Secret Server to dump and decrypt stored credentials. They installed BRICKSTORM on appliances by enabling SSH via VAMI, then ensured persistence by editing startup scripts. To maintain control, they also deployed a JSP web shell, SLAYSTYLE, capable of executing arbitrary commands.
The end goal of the attacks using Brickstorm is the exfiltration of emails via Entra ID apps, using a SOCKS proxy to reach internal systems.
“A common theme across investigations is the threat actor’s interest in the emails of key individuals within the victim organization. To access the email mailboxes of target accounts, the threat actor made use of Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes. Both scopes allow the application to access mail in any mailbox.” reads the report published by Google.. “In some cases, the threat actor targeted the mailboxes of developers and system administrators while in other cases, they targeted the mailboxes of individuals involved in matters that align with PRC economic and espionage interests.”
UNC5221 targets developers and admins tied to China’s interests. After operations, it removes malware and rotates C2 domains and samples to block forensics.
“Across BRICKSTORM investigations we have not observed the reuse of C2 domains or malware samples, which, coupled with high operational security, means these indicators quickly expire or are never observed at all.” concludes the report.
Mandiant released a scanner script to allow organizations to hunt BRICKSTORM activity.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Mandiant)
Malware / September 26, 2025
