A suspected China-nexus cyber espionage group has targeted U.S. companies in legal, SaaS, BPO, and tech sectors with the BRICKSTORM backdoor to gain long-term access. The campaign focuses on stealing sensitive data, intellectual property, and national security information, often exploiting vulnerabilities and maintaining persistence. #UNC5221 #BRICKSTORM
Keypoints
- The threat group uses a sophisticated backdoor called BRICKSTORM to infiltrate target networks.
- BRICKSTORM can operate as a web server, perform file operations, and act as a SOCKS relay to exfiltrate data.
- Victims include SaaS providers, legal firms, and organizations involved in national security and trade.
- The group exploits vulnerabilities in Ivanti Connect Secure devices and VMware vCenter to establish initial access.
- Organizations are urged to detect BRICKSTORM and similar backdoors, especially on systems lacking endpoint detection tools.
Read More: https://thehackernews.com/2025/09/unc5221-uses-brickstorm-backdoor-to.html