Google Threat Intelligence Group and Mandiant have uncovered BRICKSTORM, a sophisticated backdoor malware campaign linked to China-nexus groups, actively targeting U.S. industries since March 2025. The campaign focuses on espionage, credential theft, and IP exfiltration across sectors like legal services, SaaS, and technology firms. #BRICKSTORM #UNC5221
Keypoints
- BRICKSTORM is a cross-platform backdoor written in Go, enabling it to evade detection on edge appliances.
- The malware can remain undetected for an average of 393 days through evasive techniques like delayed beaconing and masquerading.
- Attackers use cloud services such as Cloudflare Workers and Heroku for command-and-control infrastructure.
- BRICKSTORM employs credential theft tools like BRICKSTEAL to access VMware environments and extract large-scale data.
- The campaign’s objectives include geopolitical espionage, intellectual property theft, and enabling zero-day exploit development.