China-Linked Hackers Deploy Stealthy BRICKSTORM Malware in US Cyber Espionage Campaign

Listen to this Post

Featured Image

A Silent Cyber Threat Emerges

Since early 2025, a stealthy and highly adaptive malware known as BRICKSTORM has been quietly infiltrating U.S. organizations. First identified by Google’s Threat Intelligence Group (GTIG), the malware is tied to UNC5221, a China-nexus advanced persistent threat (APT) group notorious for exploiting zero-day vulnerabilities. This group has been linked to espionage operations and long-term network infiltration, with attacks often going undetected for over a year.

What makes BRICKSTORM particularly dangerous is its ability to act as a multi-functional backdoor, providing attackers with tools for file manipulation, credential theft, network proxying, and lateral movement across enterprise environments. With its sophisticated obfuscation methods and reliance on WebSockets-based command-and-control (C2) communications, it has proven extremely difficult for defenders to detect.

Targets span across sensitive industries, including legal services, SaaS providers, BPO firms, and technology companies, with attackers primarily seeking to exfiltrate sensitive communications and high-value corporate data. The campaign represents a new level of persistence and stealth in the realm of state-sponsored cyber espionage.

The Mechanics of BRICKSTORM Attacks

BRICKSTORM is written in Go, which enables cross-platform deployment across Linux and BSD appliances. It offers attackers a range of capabilities such as acting as a hidden web server, executing shell commands, and enabling SOCKS proxy relay for stealthy network access. Its presence in enterprise systems is often masked by delayed beaconing, process mimicry, and rapid domain rotation using services like Cloudflare, Heroku, and dynamic DNS.

In addition to BRICKSTORM, researchers discovered a companion tool dubbed BRICKSTEAL, a stealthy in-memory Java Servlet filter deployed on VMware vCenter servers. This tool intercepts HTTP authentication credentials, granting attackers access to highly privileged accounts. Once inside, they clone and mount Windows VMs offline to extract sensitive files, including the ntds.dit database that stores Active Directory credentials.

The attackers then leverage legitimate admin accounts to pivot deeper into corporate environments, targeting password management platforms such as Delinea Secret Server to steal and decrypt stored credentials. For persistence, BRICKSTORM is installed via SSH access enabled through VMware’s VAMI, with startup scripts modified to ensure it survives reboots. A JSP-based web shell called SLAYSTYLE further empowers attackers by allowing arbitrary command execution.

The Espionage Objective: Emails and Intelligence

Despite the technical sophistication, the attackers’ primary target remains email communications. Using Microsoft Entra ID Enterprise Applications, they gain access to mailboxes with mail.read or full_access_as_app permissions, enabling complete access to any user’s inbox. Victims range from developers and administrators to individuals involved in projects aligned with China’s economic and geopolitical priorities.

Investigators note that after operations conclude, attackers frequently wipe traces of their presence. They rotate infrastructure, retire malware samples, and eliminate forensic artifacts—leaving defenders with few clues to trace the breaches. This level of operational security demonstrates both high discipline and strong state backing.

Mandiant, which has been tracking BRICKSTORM activity, has released a dedicated scanner script to help organizations detect signs of compromise.

What Undercode Say:

The BRICKSTORM campaign underscores a recurring theme in global cyber warfare: the steady evolution of Chinese-linked espionage operations. The malware is not simply a backdoor; it is an ecosystem of tools designed for long-term persistence and selective intelligence gathering.

From a strategic perspective, targeting emails of developers and admins is a smart move. These roles often hold the keys to the kingdom, controlling infrastructure, code repositories, and sensitive communications. By infiltrating their accounts, attackers bypass traditional security perimeters and gain access to highly valuable information.

The use of VMware vCenter exploitation is particularly concerning. Many enterprises rely on VMware for virtualization, meaning the attackers are compromising the very core of digital infrastructure. By cloning domain controllers and vault servers offline, they effectively sidestep many real-time security monitoring solutions.

BRICKSTORM’s reliance on stealth and obfuscation is another lesson for defenders. Delayed beaconing and domain rotation make traditional detection methods ineffective. Security teams must shift toward behavioral analysis and anomaly detection rather than relying on static indicators like domains or malware hashes, which expire quickly.

It’s also worth noting the attackers’ discipline in operational security. By not reusing C2 domains or malware samples, they avoid creating recognizable patterns. This is a sharp contrast to less sophisticated groups that repeatedly recycle infrastructure.

For U.S. organizations, especially those in technology, legal, and SaaS sectors, BRICKSTORM serves as a wake-up call. Nation-state actors are not just going after classified government secrets—they are targeting businesses that play critical roles in the digital supply chain.

Moving forward, companies must adopt zero-trust architectures, frequent credential audits, and enhanced monitoring of privileged accounts. Defenses cannot rely solely on patching systems; proactive hunting and layered detection are essential.

In short, BRICKSTORM illustrates the next phase of cyber espionage: patient, stealthy, and focused on strategic intelligence rather than quick financial gains. Organizations that fail to recognize this shift risk becoming silent victims of long-term compromise.

Fact Checker Results

✅ BRICKSTORM is confirmed as a Go-based backdoor linked to UNC5221.
✅ Attacks focus on email exfiltration via Microsoft Entra ID applications.
❌ No evidence suggests BRICKSTORM is being monetized through ransomware or financial fraud.

Prediction

Looking ahead, BRICKSTORM and its companion tools will likely evolve into modular espionage platforms, expanding beyond vCenter exploitation to target cloud-native environments and containerized workloads. Future campaigns may integrate AI-driven evasion techniques to further outpace defenders. The most at-risk organizations will be those handling sensitive legal data, intellectual property, and strategic communications, making them prime targets for China’s long-term intelligence ambitions.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon