Chinese APT Drops 'Brickstorm' Backdoors on Edge Devices - Dark Reading

Cyberattacks & Data BreachesCyber RiskThreat IntelligenceVulnerabilities & ThreatsNewsChinese APT Drops 'Brickstorm' Backdoors on Edge DevicesThe China-linked cyber-espionage group UNC5221 is compromising network appliances that cannot run traditional EDR agents to deploy new versions of the "Brickstorm" backdoor.Jai Vijayan,Contributing WriterSeptember 25, 20255 Min ReadSource: Lane Erickson via Alamy Stock PhotoA China-linked cyber-espionage group is systematically exploiting network and infrastructure appliances that lack standard endpoint detection and response (EDR) support to break into organizations across sectors such as legal services, technology, software-as-a-service (SaaS) providers, and business process outsourcing.The attackers have been deploying a sophisticated backdoor that Google’s Threat Intelligence Group (GTIG) is tracking as "Brickstorm" to enable long-term access that, according to researchers, spanned well over a year.Stealthy TradecraftBrickstorm hides by mimicking legitimate software and using unique command-and-control (C2) servers for each victim, making detection and blocking extremely difficult. The campaign's stealthy tradecraft has allowed the threat actor, tracked as UNC5221, to persist inside compromised networks for an average of 393 days before being detected, according to GTIG.Related:Nation-State Actor Embraces AI Malware Assembly LineIn many cases, Google found UNC5221 quietly accessing the emails of developers, administrators, and individuals of likely strategic interest to China by abusing Microsoft Entra ID enterprise applications with elevated permissions. What makes the campaign especially concerning is UNC5221's targeting of organizations whose systems often provide access to downstream customers. "We have observed SaaS provider compromise leading to downstream access to their customers," says Austin Larsen, principal analyst with GTIG."We're not sharing victim numbers or additional details on the specific victims but want to highlight that UNC5221 is targeting enterprise companies, BPOs, and tech products that governments and other tech companies use," Larsen says.As is often the case with sophisticated state-backed campaigns, GTIG researchers have not been able to definitively nail down how UNC5221 is gaining initial access to target network appliances, most of which are ether Linux or BSD-based systems. But available telemetry points to the attacker exploiting both previously known vulnerabilities as well as zero-day flaws to get a foothold on perimeter and remote access devices from multiple manufacturers. Target appliances include firewalls, VPNs, IDS/IPS, and other devices that organizations deploy at the network edge. Typically, these systems are locked down by design, meaning defenders cannot deploy standard endpoint detection and remediation tools on them, which essentially creates blind spots for attackers to exploit."While BRICKSTORM has been found on many appliance types, UNC5221 consistently targets VMware vCenter and ESXi hosts," GTIG researchers noted in the blog post. "In multiple cases, the threat actor deployed BRICKSTORM to a network appliance prior to pivoting to VMware systems."Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRLA Cross Platform ThreatBrickstorm itself is a cross-platform backdoor written in Go. The malware supports SOCKS proxy functionality, essentially turning an infected device into a relay point that allows the attackers to route their traffic through it and pivot deeper into the network while obscuring their true origin. The samples of Brickstorm that UNC5221 is using in the latest campaign are improvements on the samples that Google had previously analyzed. One of the most significant improvements is the introduction of a "delay" timer in some Brickstorm samples that ensures the malware lies dormant on an infected system until a hard-coded date several months later. GTIG also found the threat actor using Garble, an open source tool for code obfuscation, to hide function names, structures and logic on some newer Brickstorm samples. Some included a new version of a custom library, suggesting UNC5221 is developing the malware on a continuing basis.Brickstorm, according to GTIG, is designed to hide in plain sight on the devices it infects with names and functions that masquerade as legitimate activity. The malware uses C2 servers that run through popular cloud services like Cloudflare Workers or Heroku or use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. Significantly, each victim gets their own C2 domains making it harder for defenders to track and block them.Related:The Case for Why Better Breach Transparency MattersPicus Security, another cybersecurity vendor that has been tracking Brickstorm-related activity, describes the malware as allowing UNC5221 actors to "tunnel into internal networks for interactive access and file retrieval." The malware accepts web-based commands, executes them on the host and returns output via HTTP responses, according to the vendor.Long-Term StealthHüseyin Can Yüceel, security research lead at Picus, says the threat group follows a low-noise playbook. "[It] favors appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth," Yüceel says. "The group's long-term stealth is deliberate."The group's TTPs typically include harvesting and using valid high-privilege credentials so their activity appears as routine administrator tasks. They also deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces, Yüceel says. Other UNC5221 tactics that organizations should watch for include abuse of virtualization management capabilities, such as cloning VMs to extract credential stores offline; deployment of an in-memory Java Servlet filter on vCenter that intercepts and decodes web authentication to harvest high-privilege credentials; and the use of a SOCKS proxy on compromised appliances, he advised.Shane Barney, chief information security officer (CISO) at Keeper Security, says the Brickstorm campaign highlights how attackers are shifting toward systems that often fall outside traditional monitoring, like edge devices and virtualization platforms. "When adversaries can persist for over a year undetected, it underscores the importance of visibility and disciplined risk management across the entire infrastructure," Barney says.For security leaders, the focus should be on treating these appliances as critical assets, Barney says. That means maintaining a current inventory, limiting unnecessary internet access, and ensuring logs flow into centralized monitoring. "While perfect prevention isn't realistic, improving detection on these blind spots can significantly reduce dwell time and strengthen resilience against long-term espionage campaigns," Barney says.The Brickstorm malware campaign is a reminder of how security infrastructure itself is a often prime target for advanced nation-state actors, adds Craig Jones, chief security officer (CSO) at Ontinue. "The fact that these intrusions can persist undetected for months speaks to both the patience of the actors and the gaps that still exist in traditional detection models" he says. "It is a reminder that defending against sophisticated actors is not only about patching your own systems, it's about holding partners, suppliers, and core security infrastructure to the same standard of vigilance."About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space