Listen to this Post
Covert Espionage Campaigns Take Aim at Europe’s Critical Infrastructure with Cross-Platform Precision
In a concerning development on the cybersecurity front, state-sponsored hackers aligned with the Chinese government have been spotted deploying new and enhanced versions of the stealthy BRICKSTORM malware, expanding its reach to both Windows and Linux systems. Originally designed to infiltrate Linux vCenter servers, the malware has evolved into Go-based Windows binaries, highlighting a calculated expansion of its capabilities.
According to NVISO researchers, this tool is not just a typical virus or ransomware threat. BRICKSTORM is a custom-built espionage platform engineered for long-term, undetected access to critical IT infrastructure — specifically targeting European industries seen as strategically important to the People’s Republic of China (PRC).
This marks yet another clear sign that cyber warfare is evolving beyond just financial gains. For Chinese threat actors, data theft and intellectual property extraction are core objectives, aiding the state’s industrial, technological, and geopolitical ambitions. What’s more alarming is that these adversaries are using legitimate-looking cloud services, encrypted tunnels, and DNS-over-HTTPS (DoH) to mask their activities and avoid detection.
Below is a complete breakdown of this major cyber threat, its technical anatomy, and why it should be on every enterprise’s radar.
BRICKSTORM Malware: The Key Findings in Detail
- Threat Actor: UNC5221, believed to be affiliated with Chinese state interests.
- Targeted Systems: Initially Linux, now extended to Windows environments.
- Primary Goal: Long-term infiltration and surveillance of strategically valuable organizations in Europe.
- Malware Type: BRICKSTORM — a backdoor built for cross-platform deployment, espionage, and stealth operations.
Technical Capabilities:
– New versions are Go-based Windows binaries.
- No exported functions, using scheduled tasks for persistence.
- Equipped with advanced file management features via HTTP API.
- Supports uploading/downloading, renaming, deleting files, and managing directories.
- Offers network tunneling over TCP, UDP, and ICMP for lateral movement.
- No built-in command execution — actions are performed via stolen credentials using RDP/SMB to evade process-based detections.
– Configurable settings include:
– Authentication keys
– DoH hosts and server IP lists
– TLS certificate validation is intentionally disabled
- Up to three layers of nested TLS tunnels for C2 traffic obfuscation.
Command and Control (C2) Infrastructure:
- Uses legitimate cloud platforms like Cloudflare Workers and Heroku.
– Domains include:
– `ms-azure[.]azdatastore[.]workers[.]dev`
– `ms-azure[.]herokuapp[.]com`
- Uses DoH (DNS over HTTPS) via services like Quad9, NextDNS, and Google — making DNS-based monitoring ineffective.
Detection and Mitigation Tips:
- Block access to public DoH services within enterprise networks.
- Implement TLS inspection to detect nested tunnel activity.
- Regularly audit environments for unusual or rare processes.
- Keep an eye out for the following IoCs:
– `CreatedUACExplorer.exe` and `CreateUACExplorer.exe`
– SHA256 hashes linked to these executables.
What Undercode Say:
The emergence of BRICKSTORM as a fully cross-platform, modular backdoor is not just a technical curiosity—it’s a geopolitical statement. This is not about quick profit, but about long-term strategic positioning by China in the global tech and trade game.
First, the shift from Linux to Windows reflects the attackers’ broader ambitions. Enterprises across Europe often operate in hybrid environments, with both Windows and Linux machines handling different layers of their infrastructure. By expanding BRICKSTORM’s capabilities, Chinese actors aim to maximize infiltration across the full digital spectrum.
The decision to avoid built-in command execution is particularly clever. It shows a deep understanding of how modern security tools trace suspicious activity. By leveraging network tunneling and stolen credentials, they bypass the most scrutinized parts of system behavior, namely process creation and command-line activity.
BRICKSTORM’s use of cloud platforms as proxies makes it even more formidable. These platforms are inherently trusted in enterprise environments. So while defenders are busy scanning for anomalies, malicious traffic is comfortably masquerading as legitimate cloud communication.
The use of DNS over HTTPS further cripples traditional detection strategies. Standard DNS logs, once a vital tool for tracing malicious domains, are now rendered obsolete when DoH is involved. That means unless organizations are specifically inspecting encrypted traffic or blocking DoH entirely, they’re blind to the enemy’s movements.
What’s particularly telling is BRICKSTORM’s adaptability. The malware doesn’t rely on static infrastructure or predictable behaviors. With configurable C2 channels, hardcoded IP fallbacks, and multi-layered encryption, it resists fingerprinting and survives across reboots, updates, and even threat intel releases.
As more governments ramp up their own cybersecurity postures, this kind of asymmetric cyber warfare becomes a central front. The malware’s stealth, resilience, and cross-platform support are likely a glimpse into what future cyber threats will look like — deeply embedded, nearly invisible, and extremely hard to eradicate.
This is why defenders must evolve too. Legacy tools alone can’t keep up. Enterprises need behavioral analysis, zero trust policies, cloud traffic monitoring, and TLS inspection layers that go far beyond just surface-level scanning. Threat actors like UNC5221 aren’t just playing the game—they’re redefining it.
In short, BRICKSTORM isn’t just malware—it’s a tactical weapon in a quiet digital war.
Fact Checker Results:
- The UNC5221 group has been consistently linked to Chinese state interests by multiple security firms.
- NVISO’s technical analysis of BRICKSTORM confirms the Windows variant is Go-based and stealth-focused.
- The use of DNS-over-HTTPS and cloud proxy services has been validated as a key evasion tactic by threat actors in recent espionage campaigns.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2





