Companies in the legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. have been targeted by a suspected China-nexus cyber espionage group to deliver a known backdoor referred to as BRICKSTORM.
The activity, attributed to UNC5221 and closely related, suspected China-nexus threat clusters, is designed to facilitate persistent access to victim organizations for over a year, Mandiant and Google Threat Intelligence Group (GTIG) said in a new report shared with The Hacker News.
It’s assessed that the objective of BRICKSTORM targeting SaaS providers is to gain access to downstream customer environments or the data SaaS providers host on their customers’ behalf, while the targeting of the U.S. legal and technological spheres is likely an attempt to gather information related to national security and international trade, as well as steal intellectual property to advance the development of zero-day exploits.
BRICKSTORM was first documented by the tech giant last year in connection with the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). It has also been used to target Windows environments in Europe since at least November 2022.
A Go-based backdoor, BRICKSTORM comes fitted with capabilities to set itself up as a web server, perform file system and directory manipulation, carry out file operations such as upload/download, execute shell commands, and act as a SOCKS relay. It communicates with a command-and-control (C2) server using WebSockets.
Earlier this year, the U.S. government noted that the China-aligned threat cluster tracked as APT27 (aka Emissary Panda) overlaps with that of Silk Typhoon, UNC5221, and UTA0178. However, GTIG told The Hacker News at the time that it does not have enough evidence on its own to confirm the link and that it’s treating them as two clusters.
“These intrusions are conducted with a particular focus on maintaining long term stealthy access by deploying backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools,” GTIG said, adding it has responded to several intrusions since March 2025.
“The actor employs methods for lateral movement and data theft that generate minimal to no security telemetry. This, coupled with modifications to the BRICKSTORM backdoor, has enabled them to remain undetected in victim environments for 393 days, on average.”
In at least one case, the threat actors are said to have exploited the aforementioned security flaws in Ivanti Connect Secure edge devices to obtain initial access and drop BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers.
There is evidence to suggest that the malware is under active development, with one sample featuring a “delay” timer that waits for a hard-coded date months in the future before initiating contact with its C2 server. The BRICKSTORM variant, Google said, was deployed…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
