BRICKSTORM, a new “highly evasive” malware campaign linked to Beijing, has been targeting the legal services and technology sectors for more than a year, according to new research published by Google’s Mandiant on Wednesday.
-
Google threat intel has been tracking a new Chinese-linked espioage campaign since March, dubbed BRICKSTORM.
-
Operated by UNC5221, the malware exploits appliances without endpoint detection, steals sensitive emails, and leverages zero-day flaws for persistence.
-
Mandiant released a scanner tool on GitHub to help organizations detect the malware, although full detection is limited.
The backdoor malware was only first clocked by researchers in March, yet has been stealthily deployed, allowing the threat actors to remain undetected for an average of 393 days, Mandiant says.
The report shows that targets of choice include legal services organizations, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and other technology-related firms, although Mandiant noted it has “responded to intrusions across a range of industry verticals.”
BRICKSTORM is being identified as the China-Nexus Threat Actor UNC5221, known for several past zero-day attacks, including in April on Ivanti VPN appliances, and the subsequent deployment of “the SPAWN ecosystem of malware.”
“This BRICKSTORM campaign marks a striking evolution in adversary tradecraft, said Ensar Seker, CISO at SOCRadar.
“What makes it ‘next level’ is not simply the long dwell times or precision targeting, though both are alarming, but rather the strategic layering of access, reconnaissance, and supply-chain influence,” the CISO said.
Seker points out that by infiltrating tech security and legal services firms, the attackers “don’t just get to access those environments; they gain pathways into their clients and partners, giving them a multiplier effect on reach.”
Emails are of particular interest
"The BRICKSTORM campaign represents a significant threat due to its sophistication, evasion of advanced enterprise security defenses, and focus on high-value targets,” said Charles Carmakal, CTO, Mandiant Consulting, Google Cloud.
The group is said to maintain persistent access to its victim environments, aiming to steal valuable intellectual property and sensitive data from organizations and individuals of strategic interest to the Chinese government.
The Google Threat Intelligence Group (GTIG) stresses that “while UNC5221 has been used synonymously with the actor publicly reported as Silk Typhoon in the past, GTIG does not currently consider the two clusters to be the same.”
BRICKSTORM malware used by suspected China-nexus actor, UNC5221, in stealthy espionage campaign.
undefined Mandiant (part of Google Cloud) (@Mandiant) September 24, 2025
- Avg dwell time: 393 days.
- Targets: US legal, SaaS, BPOs & tech firms.
We have released a scanner, IOCs, and guidance to help defenders.
Full analysis: https://t.co/wM3OFsR5Ec pic.twitter.com/nRBFKvgUDB
"The threat actor’s interest in the emails of key individuals within the victim organization" was a common thread observed across all the investigations, the researchers said.
At times, UNC5221 was said to have "targeted the mailboxes of developers and system administrators, while in other cases, targeted the mailboxes of individuals involved in matters that align with PRC economic and espionage interests,” Mandiant states.
Salt Typhoon is the name of another Chinese threat actor (also identified by Microsoft), known for targeting the email accounts of US government officials in several espionage-fueled hacking campaigns in recent years, including the email accounts of US President Donald Trump during the 2024 election.
Maintaining persistent access
Typically deployed on “edge appliances that lack traditional endpoint detection and response (EDR),” the researchers say that, along with malware modifications and advanced anti-forensics techniques, these are what allow the threat actor to stay in the victim’s systems unnoticed for extended periods of time.
As is typical of most Advanced Persistent Threats (APTs), the BRICKSTORM hackers employ “sophisticated techniques to maintain persistence and minimize the visibility traditional security tools have into their activities.”
The threat lifecycle begins with initial access, establishing a foothold using the BRICKSTORM malware, escalating privileges, moving laterally throughout the victim's system, and then maintaining its presence until it exfiltrates a cache of files deemed worthy, uploading them to a unique Command and Control (C2) server, the Mandiant blog states.
Mandiant said it had observed the threat actor using common techniques "to conduct bulk email access and exfiltration from Microsoft 365 Exchange Online.
Besides stealing sensitive data, while lying in wait, Carmakal said the threat actor has also been known to take advantage of already-exploited zero-day vulnerabilities and third-party software currently in use by the victim organization.
“The access obtained by UNC5221 and related China-nexus actors enables them to pivot to downstream customers of compromised SaaS providers or discover zero-day vulnerabilities in enterprise technologies, which can be used for future attacks,” Carmakal said.
Seker agrees the threat actors' motivation is “more long-term than opportunistic,” noting that many downstream systems may not even realize they’ve been compromised yet.
“The threat operators are methodically exfiltrating intellectual property and internal designs, which gives them a unique insight into how to bypass defenses and identify zero-day opportunities,” he said.
"That kind of foresight suggests a campaign designed not just for espionage, but for building capabilities that can support multiple future attacks,” Seker explains, adding that Brickstorm should be a wake-up call for all security firms.
“Adversaries are no longer treating high-value firms as endpoints to exploit, but as nodes in a broader intelligence and access network. Defending against that requires we think in ecosystems and assume compromise, not just for ourselves, but for every connected party,” Seker said.
Indicators of compromise lead to scanner tool
Although BRICKSTORM is considered a widespread campaign primarily targeting organizations in the US, the good news is Mandiant has also released a fresh “scanner script” intended to help companies detect if the malware is hidden in their systems.
The scanner utility is intended to "run on *nix-based appliances and other (Linux) systems without requiring YARA to be installed,” the researchers said. It was also designed to "identify files that match a known BRICKSTORM signature and scan specified files or recursively scan entire directories."
The BRICKSTORM scanner tool, which Mandiant is urging companies in those targeted sectors to run, is currently available for download on GitHub.
However, Mandiant does warn that the tool will not:
- Identify a compromise 100% of the time.
- Detect all variants of BRICKSTORM (it is specific to one YARA rule).
- Tell you if a device is vulnerable to exploitation.
- Scan for other IOCs like logs, processes, or persistence mechanisms.
“We encourage organizations to hunt for BRICKSTORM and other backdoors that may reside on their systems that do not have endpoint detection and response (EDR) coverage," Carmakal said.
The research explains that the indicators of compromise (IOCs) for this specific threat actor are difficult to track and often quickly expire, and therefore suggests organizations adopt “a TTP-based hunting approach.” For example, the threat actor was said to have used a different C2 domain for each victim.
"This is not only an ideal practice, but a necessity to detect patterns of attack that are unlikely to be detected by traditional signature-based defenses,” Mandiant said of the threat actors' known tactics, techniques, and procedures (TTPs).
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked