‘BRICKSTORM’ Backdoor: Chinese Hackers Target US Firms

A sophisticated cyber espionage campaign employing a backdoor known as BRICKSTORM is actively targeting American companies, with a particular focus on legal practices, technology firms, and software-as-a-service providers. According to a recent analysis by Google’s Threat Intelligence Group (GTIG), these intrusions, which began no later than March 2025, are believed to be the work of Chinese-aligned hackers. The objective of these attacks appears to go beyond simple intelligence gathering, potentially aiming to collect data for developing future zero-day exploits and to create strategic footholds for broader network infiltration.

The threat actors, tracked as UNC5221, have demonstrated a high level of sophistication, making investigations challenging. Their speed in executing attacks often meant that by the time a breach was discovered, critical log data had expired. The group’s primary interest frequently involves accessing the email accounts of key personnel within victim organizations, from which they exfiltrate sensitive files. While some security firms link UNC5221 to another group called Silk Typhoon, Google currently treats them as separate entities.

The attack methodology is complex and multi-staged. It typically begins with the exploitation of zero-day vulnerabilities to gain initial access. The hackers then deploy the BRICKSTORM backdoor onto network appliances like VMware vCenter and ESXi hosts, which are difficult to monitor with standard security tools. To escalate their privileges, they employ advanced techniques such as in-memory code injection, harvesting credentials, bypassing multi-factor authentication, and even cloning virtual machines of critical servers. They move laterally through networks by reusing stolen credentials and establish persistence by modifying system files to ensure the backdoor reactivates after a reboot. The final stage often involves abusing Microsoft Entra ID applications to gain extensive access to target email mailboxes.

BRICKSTORM itself is a backdoor written in the Go programming language, specifically designed to infect VMware vCenter servers. It functions by setting itself up as a web server, allowing the attackers to manipulate files, run commands, and create proxy connections. Communication with the attackers’ command-and-control servers occurs over WebSockets. The malware employs a clever self-monitoring system using environment variables to manage its execution. For instance, it can copy itself to a system directory and spawn new processes to ensure it remains active, all while communicating with a hard-coded WebSocket address.

The deployment strategy usually involves first compromising a network appliance before pivoting to VMware systems using credentials captured by malware. In a separate development, European cybersecurity firm NVISO reported discovering Windows-compatible versions of BRICKSTORM that had been used to spy on European entities since 2022. While Google acknowledges this finding, its own investigations have not yet encountered these Windows-focused variants. To aid in detection, Google’s Mandiant has released a specialized scanner script that can identify BRICKSTORM on Unix-based systems without needing YARA installed, searching for a unique combination of strings and hexadecimal patterns specific to the threat.

(Source: Info Security)