Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Google warns of Brickstorm backdoor targeting U.S. legal and tech sectors

China-linked actors used Brickstorm malware to spy on U.S. tech and legal firms, stealing data undetected for over a year, Google warns. Google Threat Intelligence Group (GTIG) observed the use of the Go-based backdoor BRICKSTORM to maintain persistence in U.S. organizations since March 2025. Targets include legal, Software as a Service (SaaS) providers, Business Process Outsourcers […]

China-linked APT Salt Typhoon

China-linked actors used Brickstorm malware to spy on U.S. tech and legal firms, stealing data undetected for over a year, Google warns.

Google Threat Intelligence Group (GTIG) observed the use of the Go-based backdoor BRICKSTORM to maintain persistence in U.S. organizations since March 2025. Targets include legal, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology firms. Mandiant linked the activity to China-nexus APT UNC5221, a group known for the exploitation of zero-days for espionage and broader access.

The backdoor was first detailed by Google in April 2024, it was employed in multiple attacks that remained undetected more than a year, on average. BRICKSTORM can act as a web server, manipulate the file system, upload/download files, execute shell commands, and perform SOCKS proxy relaying. The malware relies on WebSockets for C2 communications.

Mandiant reports BRICKSTORM intrusions often go undetected for over a year, obscuring the initial attack vector. Evidence suggests focus on exploiting perimeter and remote access systems, sometimes by exploiting zero-day vulnerabilities. The Go-based backdoor, seen on Linux and BSD appliances, enables SOCKS proxy use and lateral movement to VMware vCenter/ESXi with stolen credentials. BRICKSTORM shows active development and obfuscation. The researchers warn that the backdoor uses stealth tactics like delayed beaconing, mimicking legitimate processes, and rotating C2 domains via Cloudflare, Heroku, and dynamic DNS.

In the latest wave of attacks, the attackers deployed a stealthy in-memory Java Servlet filter, tracked as BRICKSTEAL, on vCenter to intercept HTTP Basic authentication and steal high-privilege credentials. With these credentials, they cloned critical Windows VMs like Domain Controllers and vault servers, mounted them offline, and extracted sensitive files such as ntds.dit. The actors used legitimate admin accounts to move laterally, accessing systems like Delinea Secret Server to dump and decrypt stored credentials. They installed BRICKSTORM on appliances by enabling SSH via VAMI, then ensured persistence by editing startup scripts. To maintain control, they also deployed a JSP web shell, SLAYSTYLE, capable of executing arbitrary commands.

The end goal of the attacks using Brickstorm is the exfiltration of emails via Entra ID apps, using a SOCKS proxy to reach internal systems.

“A common theme across investigations is the threat actor’s interest in the emails of key individuals within the victim organization. To access the email mailboxes of target accounts, the threat actor made use of Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes. Both scopes allow the application to access mail in any mailbox.” reads the report published by Google.. “In some cases, the threat actor targeted the mailboxes of developers and system administrators while in other cases, they targeted the mailboxes of individuals involved in matters that align with PRC economic and espionage interests.”

UNC5221 targets developers and admins tied to China’s interests. After operations, it removes malware and rotates C2 domains and samples to block forensics.

“Across BRICKSTORM investigations we have not observed the reuse of C2 domains or malware samples, which, coupled with high operational security, means these indicators quickly expire or are never observed at all.” concludes the report.

Mandiant released a scanner script to allow organizations to hunt BRICKSTORM activity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mandiant)