Persistent, stealthy, and cross-platform, the BRICKSTORM backdoor has emerged as a significant threat to U.S. technology and legal organizations.
Tracked by Google Threat Intelligence Group (GTIG) and investigated by Mandiant Consulting, BRICKSTORM campaigns have maintained undetected access for an average of 393 days, targeting legal services firms, SaaS providers, BPOs, and technology companies to harvest data for zero-day development and broader downstream exploitation.
Since March 2025, GTIG has observed multiple intrusions attributed to UNC5221 and related China-nexus clusters, deploying BRICKSTORM on appliances that lack traditional endpoint detection and response (EDR) support.
Initial access often leverages compromised perimeter and remote-access infrastructure, including zero-day exploits against network appliances.
Once inside, the actor establishes a foothold by deploying the Go-based BRICKSTORM backdoor—complete with SOCKS proxy functionality—on Linux and BSD devices such as VMware vCenter and ESXi hosts, enabling lateral movement with minimal telemetry generation.
In one case, Mandiant discovered a time-delay variant that lay dormant until a hardcoded future date, evidencing active malware development and rapid adaptation to incident response efforts.
Privilege escalation techniques include in-memory installation of a malicious Java Servlet filter dubbed BRICKSTEAL, which intercepts HTTP Basic authentication headers on vCenter’s web login URIs to capture privileged credentials.
With these credentials, the actor clones critical virtual machines—such as domain controllers and secret vaults—using vCenter logging events, mounts the cloned virtual disk offline, and extracts sensitive data without triggering host-based defenses.
The group has also automated credential harvesting from Delinea Secret Server instances via open-source “secret stealer” utilities, further enriching their access toolkit.
BRICKSTORM Scanner Released
To empower defenders, Mandiant has published a BRICKSTORM scanner on GitHub that replicates the G_APT_Backdoor_BRICKSTORM_3 YARA rule without requiring YARA installation.
The script scans *nix-based appliances and backup images for unique string and hex patterns associated with BRICKSTORM.
Organizations can download the tool and integrate it into existing backup or file-system scanning workflows to detect latent infections before they can re-establish persistence.
Alongside the scanner, Mandiant recommends reevaluating asset inventories to include unmanaged devices—firewalls, VPN concentrators, virtualization platforms, conferencing systems, and specialized appliances—whose management interfaces serve as malware egress points.
Network logs and DNS records should be mined for suspicious outbound traffic from these interfaces, particularly DNS-over-HTTP (DoH) connections to atypical domains.
TTP-Based Hunting Guidance
Given BRICKSTORM’s high operational security and lack of indicator reuse, Mandiant advocates a TTP-based hunting approach over reliance on atomic indicators. Key hunt scenarios include:
- Scanning appliance file systems and backups for BRICKSTORM artifacts using the Mandiant scanner.
- Analyzing firewall, netflow, and DNS logs for unexpected management-interface egress.
- Correlating appliance-sourced Windows network logins against EDR, Windows Security Event logs, and User Access Logs to spot anomalous authentication events.
- Parsing Shellbags and credential-vault logs for service-account browsing activities.
- Tracking Enterprise Application mail.read and full_access_as_app events in Microsoft 365 Unified Audit Logs.
- Reviewing vSphere VPXD logs for off-hours VM cloning of high-value systems.
- Monitoring VMware audit events for SSH enablement, local account creation/deletion, and rogue VM lifecycle events.
Implementing these hunts requires up-to-date asset inventories and centralized log collection. Defenders should enforce strict least-privilege access and network segmentation for appliance management interfaces, lock down internet access to vendor update domains, and adopt multi-factor authentication for vCenter logins. Hardened credential vaults and TPM-based key storage on critical servers further reduce the risk of secret exfiltration.
BRICKSTORM operations reflect a multifaceted espionage agenda—geopolitical intelligence collection from U.S. legal firms, downstream infiltration via SaaS providers, and intellectual property theft from technology companies to fuel zero-day exploit development.
Organizations across these verticals must assume their appliances are potential breach points and prioritize TTP-based defenses to detect and disrupt this sophisticated backdoor before it delivers strategic advantage to its operators.
Indicators of Compromise
Here is the information in table form:
| SHA-256 Hash | File Name | Description |
|---|---|---|
| 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 | pg_update | BRICKSTORM |
| 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df | spclisten | BRICKSTORM |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
