Find notable cyber news and cases, enriched with sources, timelines, and signals.
Campaign

UNC5221 BRICKSTORM espionage against U.S. legal and SaaS firms

Updated 08.06.2026 13:27
Case score 57
Case score 57 Members 1 Latest activity 08.06.2026 13:27
Members 1 First seen 24.09.2025 17:33 Last seen 24.09.2025 17:33 Updated 08.06.2026 13:27

Overview

UNC5221's **BRICKSTORM** espionage campaign targets U.S. legal services, SaaS providers, BPOs, and technology companies by planting a stealth backdoor on edge appliances and then moving into virtualization and identity layers. The activity has been observed since March 2025, with an average dwell time of 393 days, theft of source code and other intellectual property, and prior exploitation of **Ivanti Connect Secure** flaws **CVE-2023-46805** and **CVE-2024-21887**. Google released a **BRICKSTORM** shell script scanner, but the full victim count and the complete downstream impact remain unknown.

Signals

6 derived
CVEs/products
CVE CVE
Victims/regions
Victim region United States
Status
Campaign status Active
Threat context
Actor UNC5221 Malware

Malware context

10 families · 1 tools
Tools
BRICKSTEAL

Member happenings

1 related
Campaign UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
Updated 24.09.2025 17:33 Lead Contribution 57
Objective Espionage Campaign Active

**UNC5221** is an active **BRICKSTORM** espionage campaign targeting **U.S. legal services, SaaS providers, BPOs, and technology companies**. Recent reporting says the group used **Brickstorm** and newly described malware **Plenet** and **AgentPSD** to keep access to victim environments, including **Microsoft 365** and appliances such as **Synology NAS**, **pfSense**, and **Egnyte Storage Sync**. Volexity said the actor stayed inside one victim network for **at least 18 months**, also compromised the victim’s **MSP**, and re-entered after remediation using **stolen credentials** and **SSL VPN** access. The campaign remains significant because it combines **long-term persistence**, **credential theft**, and **multi-system lateral movement** to sustain espionage access.