UNC5221 BRICKSTORM espionage against U.S. legal and SaaS firms

UNC5221 is running a BRICKSTORM espionage campaign against U.S. legal services organizations, SaaS providers, BPOs, and technology companies. Google Threat Intelligence Group and Mandiant say the activity has been observed since March 2025 and is built for long-term, low-noise access on Linux- and BSD-based appliances at the network edge. The operators exploit those appliances and then maintain persistence with BRICKSTORM, which uses SOCKS proxying, delayed-start behavior, unique command-and-control infrastructure per victim, and obfuscation to reduce detection. Because edge appliances often sit outside traditional EDR coverage, the malware can remain hidden while the operators establish durable footholds. After initial access, the operators have abused valid credentials to pivot into VMware vCenter and ESXi hosts and, in some intrusions, used Microsoft Entra ID enterprise applications with elevated permissions to reach email belonging to developers, administrators, and other strategic accounts. Google also linked the activity to prior exploitation of Ivanti Connect Secure with CVE-2023-46805 and CVE-2024-21887. Google said the average dwell time is 393 days, and that the operators have stolen proprietary source code and other intellectual property that could help identify zero-day vulnerabilities and expose downstream SaaS customers. Google released a shell script scanner for BRICKSTORM, but available evidence does not show the full victim count, the complete extent of downstream access, or whether every affected environment has been remediated.