Brickstorm long-dwell espionage activity targeting U.S. technology and legal organizations
Malware Activity
Summary
Hide ▲
Show ▼
Brickstorm is a Go backdoor used in a China-linked cyber-espionage campaign against U.S. organizations across the technology and legal sectors. CrowdStrike says Warp Panda has used the malware against VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities during 2025, and that the activity supports persistent, covert access for intelligence collection. The backdoor often masquerades as legitimate vCenter processes such as updatemgr or vami-http, and the operators also deployed Junction and GuestConduit on ESXi hosts and guest VMs.
Related Happenings
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
Fast16 Lua-based network worm
Malware Activity
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
About this happening:
Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Fast16 Lua-based network worm
Malware ActivityAbout this happening: Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Timeline
-
24.09.2025 17:00 4 articles · 8mo ago
Google reports Brickstorm espionage against U.S. organizations
Initial DisclosureGoogle Threat Intelligence Group described Brickstorm as a long-term espionage backdoor used by suspected Chinese hackers against U.S. organizations in the technology and legal sectors, including SaaS providers and BPOs. The activity was attributed to UNC5221, which used appliances without EDR such as VMware vCenter/ESXi, with operators believed to rely on edge-device zero-days, credential capture with Bricksteal, email exfiltration through Microsoft Entra ID Enterprise Apps, and anti-forensics to hide entry paths. Mandiant also released a free scanner script and YARA rules for Brickstorm, Bricksteal, and Slaystyle to help defenders look for compromise.
Show sources
- Google: Brickstorm malware used to steal U.S. orgs' data for over a year — www.bleepingcomputer.com — 24.09.2025 17:00
- Google: Brickstorm malware used to steal U.S. orgs' data for over a year — www.bleepingcomputer.com — 24.09.2025 17:00
- Chinese APT Drops 'Brickstorm' Backdoors on Edge Devices — www.darkreading.com — 25.09.2025 22:05
- China-Linked Warp Panda Targets North American Firms in Espionage Campaign — www.infosecurity-magazine.com — 05.12.2025 16:30