New BRICKSTORM Stealthy Backdoor Attacking Tech and Legal Sectors

BRICKSTORM has surfaced as a highly evasive backdoor targeting organizations within the technology and legal industries, exploiting trust relationships to infiltrate critical networks.

First detected in mid-2025, this malware leverages multi-stage loaders and covert communication channels to avoid detection.

Early victims reported unusual latency in remote desktop sessions, prompting deeper forensic investigations.

As the campaign evolved, BRICKSTORM demonstrated a remarkable ability to blend into legitimate system processes, complicating incident response efforts and extending dwell time.

Initial analysis reveals BRICKSTORM’s primary propagation vector is spear-phishing emails containing weaponized document attachments.

These attachments exploit a zero-day flaw in a widely used document rendering engine, silently deploying a lightweight loader once opened.

In several cases, organizations in the legal sector noted the lure of case summaries or contract amendments as decoys.

The loader subsequently fetches an encrypted payload from a compromised cloud storage service, establishing a stealthy foothold before initiating lateral movement.

Google Cloud analysts identified BRICKSTORM after observing anomalous traffic patterns across its infrastructure monitoring platform.

Correlating telemetry from endpoint sensors and network logs, researchers noted connections to unusual domain names using nonstandard ports.

These discoveries accelerated threat intelligence sharing across industry CERTs, culminating in the attribution of the backdoor to a previously unseen modular malware family.

A characteristic feature of BRICKSTORM is its modular design, enabling operators to tailor functionality according to target environment.

Core modules include system reconnaissance, credential harvesting, and secure communication channels. Upon deployment, BRICKSTORM enumerates running processes and open network sockets, alerting operators to high-value targets and active security tools.

When a suitable target is found, the backdoor injects a reconnaissance module into memory, extracting credentials via in-memory process dumps.

All data is exfiltrated using an HTTP-over-DNS tunnel, effectively bypassing traditional egress filtering rules.

Persistence Tactics

Delving into BRICKSTORM’s persistence mechanism reveals a cunning approach that relies on dynamically registered scheduled tasks.

Rather than creating permanent registry entries, the backdoor generates a transient scheduled task named to mimic legitimate system maintenance jobs.

Upon each system boot, the task executes a PowerShell command that reconstructs the loader from segmented fragments stored in alternate data streams.

This technique not only conceals the backdoor components within benign files but also rotates fragment locations on each run, preventing static indicators of compromise.

$parts = Get-Item -Path "C:WindowsSystem32driversetchosts":frag*
$loader = ""
foreach ($p in $parts) {
    $loader += ([IO.File]::ReadAllText($p.Name))
}
Invoke-Expression $loader

By leveraging alternate data streams, BRICKSTORM sidesteps file-based defenses and leaves minimal traces on disk.

Incident responders often overlook ADS entries, allowing the backdoor to persist undetected across reboots.

Moreover, the use of dynamic task names prevents easy correlation during log analysis, as each deployment may appear distinct.

Understanding these tactics is critical for defenders aiming to develop detection rules that surface anomalous scheduled tasks and ADS activity in real time.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.