A sophisticated cyberespionage campaign, attributed to suspected Chinese hackers, has been actively targeting U.S. organizations for over a year using a previously undocumented backdoor named BrickStorm.[1] According to research detailed by Google’s Mandiant and reported by BleepingComputer, the threat actor, tracked as UNC5221, has maintained long-term persistence within the networks of technology, legal, Software-as-a-Service (SaaS), and Business Process Outsourcing (BPO) firms.[1] The campaign is characterized by its significant dwell time, averaging 393 days, and a focus on stealth, with actors removing malware after operations to complicate forensic analysis.[1] This operation highlights a continuing trend of state-sponsored groups conducting persistent, targeted intelligence gathering against specific sectors.
For security leadership, the key takeaways are the campaign’s duration, its focus on virtualization infrastructure for persistence, and the availability of detection tools. The threat actor, UNC5221, employed a multi-component malware suite including the BrickStorm backdoor and BrickSteal, a malicious Java Servlet Filter.[1] Initial access is believed to have been achieved through the exploitation of zero-day vulnerabilities in edge devices, such as Ivanti appliances.[1] Once inside, the actors demonstrated a methodical approach to credential theft, data exfiltration, and maintaining access. In response to the threat, Mandiant has released a free scanner script on GitHub to help organizations detect indicators of compromise related to BrickStorm.[1]
* **Threat Actor:** Suspected Chinese espionage group UNC5221.
* **Primary Malware:** BrickStorm (a Go-based backdoor) and BrickSteal.
* **Targets:** U.S. organizations in technology, legal, SaaS, and BPO sectors.
* **Campaign Duration:** Over a year, with an average dwell time of 393 days.
* **Key Tactic:** Credential theft via compromised VMware vCenter and exfiltration of emails via Microsoft Entra ID.
* **Mitigation:** Mandiant has released a detection script on GitHub.
Technical Analysis of the BrickStorm Campaign
The operational security measures employed by UNC5221 are a defining feature of this campaign. After establishing a foothold, the actors systematically worked to steal credentials, particularly by compromising VMware vCenter servers.[1] A notable technique involved cloning virtual machines to extract secrets, which were then used to move laterally and escalate privileges within the environment. Persistence was maintained by configuring SSH access on ESXi hosts, ensuring continued access even if other entry points were closed.[1] The final stage involved the exfiltration of sensitive data, with a specific focus on email communications accessed through Microsoft Entra ID (formerly Azure Active Directory). The group’s emphasis on stealth is evident in their practice of removing the BrickStorm malware after completing data theft operations, a move designed to hinder incident response and forensic investigations.[1] Furthermore, the actors avoided reusing command and control infrastructure, making tracking and attribution more difficult.
Contextualizing BrickStorm Within the Broader Threat Landscape
The BrickStorm campaign shares similarities with other major state-sponsored operations, particularly in its objective of long-term intelligence gathering. The SolarWinds campaign, attributed to Russia’s SVR, set a precedent for sophisticated supply-chain attacks that impacted numerous U.S. federal agencies and private companies.[2] While the initial access vector differs, both campaigns demonstrate a high level of planning and a focus on remaining undetected for extended periods. Concurrently, other Chinese threat actors have been observed adapting their methods; for instance, TA415 was recently documented using VS Code Remote Tunnels to spy on U.S. economic policy experts, showing an abuse of legitimate developer tools.[3] These parallel activities indicate a diverse but persistent threat from nation-state actors targeting American intellectual property and strategic information. The evolution of these tactics underscores the need for robust monitoring of both traditional and cloud-based infrastructure.
Defensive Recommendations and Mitigation Strategies
Organizations, particularly those in the targeted sectors, should prioritize several key defensive actions. Given the initial access is suspected to come from exploited edge devices, rigorous patch management for internet-facing systems like Ivanti EPMM is critical. The exploitation of two specific Ivanti EPMM flaws, CVE-2025-4427 and CVE-2025-4428, by other malware strains was recently highlighted by CISA, emphasizing the urgency of applying these updates.[4] Furthermore, protecting virtualization infrastructure is paramount. Security teams should harden VMware vCenter and ESXi hosts, closely monitor for unauthorized SSH configuration changes, and audit VM cloning activities. Strengthening identity and access management, especially for cloud identities in Entra ID, through conditional access policies and strict monitoring of global admin activity can help detect and prevent the exfiltration techniques used in this campaign. Mandiant’s release of a scanner script provides a practical tool for organizations to check their environments for signs of BrickStorm-related malware.[1]
The discovery of the BrickStorm campaign serves as a reminder that sophisticated espionage operations can persist within networks for many months without detection. The techniques used by UNC5221—targeting virtualization platforms and cloud identities—reflect a modern approach to cyberespionage that aligns with the broader shift of critical assets to cloud environments. This incident reinforces the necessity of assuming a posture of continuous monitoring and threat hunting, as traditional signature-based defenses may not catch such determined and stealthy adversaries. The availability of specific detection tools from threat intelligence vendors is a positive step that enables defenders to proactively hunt for these threats within their own networks.
