Google: China‑Linked UNC5221 Uses Brickstorm Backdoor to Breach US Organizations Undetected for 393 Days

CyberSecureFox 🦊

Google Threat Intelligence reported a long-running espionage campaign in which the China-linked cluster UNC5221 deployed the Brickstorm backdoor to compromise US organizations. Investigators estimate an average 393 days of undetected dwell time per victim, underscoring disciplined operations, strong operational security, and effective evasion.

What is the Brickstorm backdoor and why it matters

Brickstorm is a Go-based, multi-function backdoor first observed by Google in April 2024. It blends the roles of a web server, file manager, dropper, SOCKS relay, and shell command executor. This design enables resilient command-and-control (C2), streamlined post-exploitation, and stealthy data exfiltration from a single implant—reducing the attacker’s footprint and detection opportunities.

Targets and supply-chain exposure

UNC5221 focused on technology firms, law practices, SaaS providers, and BPO companies. Compromising these upstream providers amplifies risk across the ecosystem: access to development environments and repositories can facilitate 0-day preparation, pivoting into customer networks, and targeting downstream entities with weaker controls.

Initial access and stealth on edge infrastructure

While the initial access vector is not definitively confirmed, Google assesses likely exploitation of edge-device 0-day vulnerabilities. UNC5221 has previously been linked to exploitation of Ivanti products and custom tools such as Spawnant and Zipline, indicating proficiency in attacking perimeter infrastructure.

Post-compromise, Brickstorm was deployed preferentially on systems lacking EDR coverage, including VMware vCenter/ESXi. To blend C2 traffic with legitimate services, operators masqueraded communications as Cloudflare and Heroku traffic—tactics that degrade signature-based detection and complicate event correlation.

vCenter/ESXi tradecraft and credential theft

To escalate privileges in vCenter, operators used a malicious Java Servlet Filter dubbed Bricksteal to intercept credentials. Analysts also observed cloning of Windows Server VMs to harvest secrets offline—a technique that sidesteps some host-based defenses.

Stolen credentials enabled lateral movement and persistence, including enabling SSH on ESXi and modifying init.d/systemd startup scripts. A core objective was theft of corporate email via Microsoft Entra ID Enterprise Apps. For internal access and data staging, UNC5221 stood up SOCKS proxies, evading egress controls and masking operator locations.

Anti-forensics and infrastructure discipline

UNC5221 employed anti-forensic scripts and removed artifacts at the end of operations, impeding retrospective analysis. The group also avoided reusing C2 domains and malware samples, diminishing the utility of static indicators of compromise and placing a premium on behavioral detection.

Detection tooling and its limitations

Mandiant released a free YARA-based scanner for Linux and BSD to detect Brickstorm, along with rules for Bricksteal and Slaystyle. However, defenders should note that these tools may not detect all variants, do not fully cover persistence mechanisms, and do not identify vulnerable edge devices—underscoring the need for layered defenses and threat hunting.

Actionable defenses for SOC and security teams

Harden the perimeter and edge devices

Patch rapidly across gateways, VPNs, and appliance UIs; restrict admin interfaces by source IP and enforce MFA. Enable verbose logging with remote forwarding and integrity controls to protect logs from tampering.

Monitor vCenter/ESXi and virtualization layers

Audit the vCenter servlet filter chain; alert on SSH enablement on ESXi; watch for init.d/systemd changes; and flag unusual outbound connections to Cloudflare/Heroku originating from hypervisors or orchestration nodes.

Protect Microsoft Entra ID and email

Review Enterprise Apps and delegated consent; enable access logs and conditional access policies; enforce MFA; and regularly prune excessive OAuth scopes.

Limit lateral movement

Rotate credentials and certificates, segment administrative zones, block interactive logon for service accounts, and deploy EDR/behavioral sensors wherever feasible, including on Linux and appliances that support it.

Threat hunting cues

Search for anomalous SOCKS traffic, previously unseen Go binaries on servers lacking development toolchains, and unexpected CDN-bound connections from virtualization management networks.

This campaign highlights adversaries’ pivot toward edge infrastructure and virtualization platforms where visibility is thin. Organizations should reassess threat models for vCenter/ESXi and cloud identities, strengthening logging, privilege controls, and network anomaly detection. YARA scanners from Mandiant provide a useful starting point, but durable defense requires disciplined patching, segmentation, and mature incident response playbooks.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.