F5 breach exposes powerful backdoor exploited by China-linked hackers

Published: 23 October 2025
Last updated: 23 October 2025
F5 BIG IP

Researchers investigating artifacts from the recent F5 BIG-IP breach are warning about a stealthy and powerful backdoor used by China-linked threat actors. Known as Brickstorm, the malware leaves minimal traces, enabling attackers to gain long-term access.

In the aftermath of the massive F5 breach, Resecurity, a cybersecurity company, is warning about China-linked hackers actively targeting organizations with F5 BIG-IP systems deployed.

ADVERTISEMENT

These systems are used by enterprises for load balancing, application delivery, and security, and over 250,000 of them are exposed on the internet.

The attackers remained in F5’s systems for at least 12 months using a stealthy self-contained backdoor, consistent with the Brickstorm family.

Resecurity has recently released a Brickstorm backdoor analysis and additional details on the involvement of China's threat actors.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

A backdoor is malware that hackers leave on the device after the initial compromise to maintain persistent access. To compromise the device, attackers usually exploit known or zero-day vulnerabilities.

While F5 is not aware of any undisclosed flaws that could have been exploited, the stolen source code “raises the risk of rapid zero-day discovery and weaponization against internet-exposed management services,” Resecurity warns.

“If an attacker gets code execution (via zero-day or weakly secured services), Brickstorm can turn a BIG-IP into a stealth egress point and internal proxy, with minimal logs and long dwell.”

ADVERTISEMENT

What do we know about this new backdoor?

The espionage backdoor Brickstorm is linked to the China-nexus cluster UNC5221, which employs sophisticated capabilities and exploits zero-day flaws targeting network appliances.

Resecurity has collected “multiple artifacts” from the threat actor’s appliance-focused tradecraft, which include the Go ELF (executable compiled for Linux) backdoor itself, small deployment scripts, and a component used for credential harvesting.

brickstorm-backdoor

“The backdoor is a self-contained, dependency-free executable packaged for appliances with limited userland,” Resecurity said in the report.

This means the program needs no extra software on the device. It includes full web protocols for traffic (TLS client, HTTP/1.1/HTTP/2 paths, WebSocket upgrade/session handling). It can act as a SOCKS proxy for routing malicious traffic. It hides data transfers inside POST requests using the same multipart/form-data format browsers use for uploads.

To attack F5, the threat actor, after gaining code execution, configured the backdoor to establish an encrypted outbound TLS connection “that negotiates HTTP/2 and upgrades the connection to WebSocket for a persistent C2 tunnel.”

They used this connection to carry many separate sessions at once to deliver command-and-control (C2) parameters and manage the implant.

Has my data been leaked?
Check Now

“We have noticed there are no hardcoded domains or credentials in the ELF file, which suggests the attackers likely used a zero-day to gain access and can connect back to the target without issue,” the report reads.

ADVERTISEMENT

The researchers also found that the attackers leveraged publicly available repositories, that portions of the code originated from China, and that it was maliciously designed for cyberattacks.

After the F5 cyberattack, over twenty previously unknown vulnerabilities were disclosed affecting BIG-IP (all modules), F5OS (A/C), and BIG-IP Next (SPK/CNF), with several issues that could enable remote exploitation of internet-exposed management services.

Resecurity is urging network defenders to treat them as an emergency: upgrade to the latest versions immediately, remove public exposure of management planes, and restrict egress.

Google’s Mandiant team previously reported that attackers have been using Brickstorm since March 2025 across a range of industry verticals, including legal services, software as a service (SaaS) providers, business process outsourcers (BPOs), and technology. The team provided a scanner script to search for patterns unique to the backdoor.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta confirms: critical vulnerability in account recovery tool exposed over 20K Instagram users
UK to use AI to prepare for AI-induced employment challenges
Dark web drug vendor gets 26 years for selling fentanyl and meth
Meta escalates legal battle with Israeli spyware firm NSO over WhatsApp attacks
UK PM Starmer set to ban social media for Under-16s
OpenAI plans biggest ChatGPT overhaul ahead of listing
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked