Campaign
UNC5221 BRICKSTORM espionage against U.S. legal and SaaS firms
Updated 08.06.2026 13:27
Case score 57
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 57
- Main story score
- 57
- Related evidence lift
- +0 / 20
- Contributing updates
- 0
- Context updates
- 0
Top contributors
- Campaign Core BRICKSTORM espionage campaign with long-dwell access, prior Ivanti exploitation, and confirmed theft of source code and intellectual property. main
Case score 57
Members 1
Latest activity 08.06.2026 13:27
Members 1
First seen 24.09.2025 17:33
Last seen 24.09.2025 17:33
Updated 08.06.2026 13:27
Overview
UNC5221's **BRICKSTORM** espionage campaign targets U.S. legal services, SaaS providers, BPOs, and technology companies by planting a stealth backdoor on edge appliances and then moving into virtualization and identity layers.
The activity has been observed since March 2025, with an average dwell time of 393 days, theft of source code and other intellectual property, and prior exploitation of **Ivanti Connect Secure** flaws **CVE-2023-46805** and **CVE-2024-21887**. Google released a **BRICKSTORM** shell script scanner, but the full victim count and the complete downstream impact remain unknown.
UNC5221 is running a BRICKSTORM espionage campaign against U.S. legal services organizations, SaaS providers, BPOs, and technology companies.
Google Threat Intelligence Group and Mandiant say the activity has been observed since March 2025 and is built for long-term, low-noise access on Linux- and BSD-based appliances at the network edge. The operators exploit those appliances and then maintain persistence with BRICKSTORM, which uses SOCKS proxying, delayed-start behavior, unique command-and-control infrastructure per victim, and obfuscation to reduce detection. Because edge appliances often sit outside traditional EDR coverage, the malware can remain hidden while the operators establish durable footholds.
After initial access, the operators have abused valid credentials to pivot into VMware vCenter and ESXi hosts and, in some intrusions, used Microsoft Entra ID enterprise applications with elevated permissions to reach email belonging to developers, administrators, and other strategic accounts. Google also linked the activity to prior exploitation of Ivanti Connect Secure with CVE-2023-46805 and CVE-2024-21887. Google said the average dwell time is 393 days, and that the operators have stolen proprietary source code and other intellectual property that could help identify zero-day vulnerabilities and expose downstream SaaS customers.
Google released a shell script scanner for BRICKSTORM, but available evidence does not show the full victim count, the complete extent of downstream access, or whether every affected environment has been remediated.
Signals
6 derivedCVEs/products
CVE
CVE
Victims/regions
Victim region
United States
Status
Campaign status
Active
Threat context
Actor
UNC5221
Malware
Malware context
10 families · 1 toolsTools
BRICKSTEAL
Member happenings
1 related
Campaign
UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
Objective
Espionage
Campaign
Active
Campaign
UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
Objective
Espionage
Campaign
Active