CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

First reported
Last updated
4 unique sources, 6 articles

Summary

Hide ▲

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval. F5 disclosed that unidentified threat actors stole files containing BIG-IP's source code and information related to undisclosed vulnerabilities. The attackers used the BRICKSTORM malware, attributed to a China-nexus espionage group dubbed UNC5221. The attackers were in F5's network for at least 12 months before detection. GreyNoise observed elevated scanning activity targeting BIG-IP in three waves on September 23, October 14, and October 15, 2025. Censys identified over 680,000 F5 BIG-IP load balancers and application gateways visible on the public internet. The attackers used a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Timeline

  1. 24.09.2025 17:00 6 articles · 26d ago

    Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

    F5 disclosed that unidentified threat actors, attributed to the UNC5221 activity cluster, stole files containing BIG-IP's source code and information related to undisclosed vulnerabilities. The attackers were in F5's network for at least 12 months before detection. GreyNoise observed elevated scanning activity targeting BIG-IP in three waves on September 23, October 14, and October 15, 2025. Censys identified over 680,000 F5 BIG-IP load balancers and application gateways visible on the public internet. The attackers used a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

F5 BIG-IP Source Code and Vulnerability Information Stolen in Cyberattack

Over 266,000 F5 BIG-IP instances are exposed online, potentially vulnerable to remote attacks following a breach disclosed by F5. The company has released security updates to address 44 vulnerabilities, including those stolen in the breach. F5 has not found evidence that the stolen information has been used in actual attacks or disclosed publicly. The breach was attributed to a highly sophisticated nation-state threat actor, and F5 has taken extensive actions to contain the threat. F5's BIG-IP is a critical product used in application delivery networking and traffic management by many large enterprises. The company has 23,000 customers in 170 countries, including 48 of the Fortune 50 entities. The breach did not compromise F5's software supply chain or result in suspicious code modifications. The company has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms and has advised users to apply the latest updates for BIG-IP and related products. The breach involved a nation-state threat actor gaining persistent, long-term access to F5's product development environment and engineering knowledge management platforms. F5 disclosed the breach on October 15, 2025, confirming that the attack was detected in August 2025. The threat actor exfiltrated files containing BIG-IP source code and information regarding undisclosed vulnerabilities. F5 has not found evidence of access to or exfiltration of data tied to its CRM, financial, support case management, or iHealth systems, nor the NGINX source code or product development environment. F5 has identified no evidence of modification to its software supply chain, including source code, build pipeline, and release pipeline. F5 has worked with multiple incident response firms and law enforcement to mitigate the event and believes it has contained the threat. F5 has rotated credentials, strengthened access controls, deployed improved inventory and patch management automation, integrated better monitoring and detection tools, and implemented enhancements to network security infrastructure. F5 advises customers to apply the latest BIG-IP updates and has shared guidance for hardening customers' systems. On October 15, 2025, CISA directed federal civilian executive branch (FCEB) agencies to inventory F5 BIG-IP products and apply updates where necessary. The US government has urged federal agencies to take immediate action after F5 revealed it had been breached by a nation-state actor. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive demanding that federal agencies evaluate if the networked management interfaces are accessible from the public internet and apply updates from F5. CISA warned that the threat actor's access to the F5 development environment could enable it to conduct static and dynamic analysis to discover logical flaws, zero-day vulnerabilities, and targeted exploits. The Justice Department ordered a delay in public disclosure of the breach on September 12, 2025. F5 has improved internal security including access controls, inventory and patch management, network security, and monitoring of all software development platforms. Tom Kelermann, VP of cyber risk at Hitrust, argued that the F5 breach is likely to be the first stage in a supply chain campaign. Ilia Kolochenko, CEO of ImmuniWeb, agreed that the stolen IP could be used to craft zero-day exploits for subsequent APT campaigns.

Open in new tab

Flax Typhoon APT Group Exploits ArcGIS for Persistent Access

The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The attackers used a public-facing ArcGIS server connected to a private, internal ArcGIS server for backend computations, a common default configuration. They sent disguised commands to the portal server, creating a hidden system directory that became Flax Typhoon's private workspace. The attackers ensured the compromised component was included in system backups, turning the organization's own recovery plan into a guaranteed method of reinfection. ReliaQuest worked with the customer organization and Esri to fully evict Flax Typhoon actors from the environment, which included rebuilding the entire server stack and deploying custom detections for the threat activity. ReliaQuest urged organizations to treat all public-facing applications as high-risk assets and recommended security teams audit and harden such applications. The researchers also highlighted the need for behavioral analytics to complement signature-based detection, as Flax Typhoon did not use any malware or known malicious files. Strong credential hygiene was emphasized, noting that a weak administrator password gave the attackers a foothold in the organization's network. ReliaQuest recommended implementing multifactor authentication and practicing the principle of least privilege to enhance security. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs. The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal. The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network. The attackers reset the password of the administrative account.

Open in new tab

Stealit Malware Campaign Abuses Node.js SEA Feature

A malware campaign named Stealit is actively distributing Node.js-based payloads via the Single Executable Application (SEA) feature. The malware is propagated through fake installers for games and VPN applications on file-sharing sites. The campaign offers a remote access trojan (RAT) with various capabilities, including file extraction, webcam control, and ransomware deployment. The malware performs anti-analysis checks, writes an authentication key to a temporary file, and configures Microsoft Defender exclusions to avoid detection. It targets Chromium-based browsers, messengers, cryptocurrency wallets, and game-related apps. The campaign is monetized through subscription plans for the malware's services. The threat actor has also relocated the command-and-control (C2) panel to new domains and reverted to using the Electron framework with encrypted scripts.

Open in new tab

Zimbra Collaboration Suite Zero-Day Exploited via iCalendar Files

A zero-day vulnerability in Zimbra Collaboration Suite (ZCS) was exploited using iCalendar files to deliver a JavaScript payload. The flaw, CVE-2025-27915, allowed attackers to execute arbitrary JavaScript within the victim's session. The attacks targeted a Brazilian military organization and were active before the patch was released in January 2025. The payload was designed to steal credentials, emails, contacts, and shared folders from Zimbra Webmail. The threat actor spoofed the Libyan Navy’s Office of Protocol to deliver the exploit. The malicious code used various techniques to evade detection and exfiltrate data. The vulnerability was patched by Zimbra in January 2025, but the exploitation activity was not publicly disclosed until October 2025. The script forwards emails to [email protected] and adds malicious Zimbra email filter rules named "Correo". The script hides certain user interface elements and detonates only if more than three days have passed since the last execution. The payload was broken into multiple functions, each serving a distinct purpose such as credential theft, email theft, and user activity monitoring. The payload was designed to exfiltrate data every four hours to an attacker-controlled server. The payload included a function to manipulate email filter rules within Zimbra, redirecting messages to an external Proton Mail account. The payload targeted highly sensitive authentication data, including details of trusted devices and app-specific passwords.

Open in new tab

Phantom Taurus Targets Government and Telecommunications Organizations

Government and telecommunications organizations in Africa, the Middle East, and Asia have been targeted by a China-aligned nation-state actor known as Phantom Taurus over the past two-and-a-half years. The group focuses on espionage, targeting ministries of foreign affairs, embassies, geopolitical events, and military operations. Phantom Taurus employs custom-developed tools and techniques, including a bespoke malware suite named NET-STAR, to maintain long-term intelligence collection and obtain confidential data from targets of strategic interest to China. The group's activities coincide with major global events and regional security affairs, demonstrating stealth, persistence, and adaptability in their tactics, techniques, and procedures (TTPs). Phantom Taurus has been observed using a .NET malware suite named NET-STAR to breach IIS web servers, which operates almost entirely in memory and includes a fileless backdoor that establishes encrypted command-and-control (C2) sessions. The suite includes a backdoor named IIServerCore that accepts commands and encoded .NET payloads, enabling arbitrary code execution on compromised systems. The suite also includes two AssemblyExecuter loaders (v1 and v2) that allow dynamic loading of additional .NET malware, with v2 featuring advanced evasion techniques such as AMSI and ETW bypass. The group uses custom SQL queries to search for specific tables and keywords on compromised systems, exporting all matching results. Additionally, Phantom Taurus's operational methods are supported by other custom malware, including TunnelSpecter and SweetSpecter, which are used for email exfiltration.

Open in new tab