CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Brickstorm malware used in long-term espionage against U.S. organizations

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Suspected Chinese hackers used the Brickstorm malware in long-term espionage operations against U.S. organizations in the technology and legal sectors, as well as SaaS providers and BPOs. The Go-based backdoor was used to silently siphon data from victim networks for an average of 393 days. The malware was deployed on appliances that do not support EDR, such as VMware vCenter/ESXi endpoints, and masqueraded as legitimate traffic to establish communication with command and control (C2) servers. The attackers, attributed to the UNC5221 activity cluster, exploited vulnerabilities in edge devices and used anti-forensics scripts to obscure their entry path. The primary objective of the malware was to exfiltrate emails via Microsoft Entra ID Enterprise Apps, utilizing a SOCKS proxy to tunnel into internal systems and code repositories. The attackers used a malicious Java Servlet filter for the Apache Tomcat server, dubbed BRICKSTEAL, to capture vCenter credentials for privilege escalation. The attackers cloned Windows Server VMs for key systems such as Domain Controllers, SSO Identity Providers, and secret vaults. The attackers leveraged valid credentials for lateral movement to pivot to the VMware infrastructure and establish persistence by modifying init.d, rc.local, or systemd files. The BRICKSTORM campaign represents a significant threat due to its sophistication, evasion of advanced enterprise security defenses, and focus on high-value targets. Mandiant has released a free scanner script to help defenders detect Brickstorm malware.

Timeline

  1. 24.09.2025 17:00 πŸ“° 2 articles Β· ⏱ 1h ago

    Brickstorm malware used in long-term espionage against U.S. organizations

    The BRICKSTORM backdoor is under active development, with new variants featuring a delay timer to initiate C2 communication. The malware was deployed on an internal VMware vCenter server during incident response efforts, indicating the attackers' ability to maintain persistence. The attackers used a malicious Java Servlet filter for the Apache Tomcat server, dubbed BRICKSTEAL, to capture vCenter credentials for privilege escalation. They also cloned Windows Server VMs for key systems and leveraged valid credentials for lateral movement. The primary goal of the campaign is to access the emails of key individuals within the victim entities, including developers, system administrators, and individuals involved in matters that align with China's economic and espionage interests. The BRICKSTORM campaign represents a significant threat due to its sophistication, evasion of advanced enterprise security defenses, and focus on high-value targets.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Obscura ransomware variant discovered in August 2025

On 29 August 2025, Huntress analysts identified a previously unknown ransomware variant named Obscura. The ransomware was executed across multiple hosts within a victim organization, impacting the SOC's ability to respond effectively due to limited deployment of the Huntress agent. The ransomware executable was found on the domain controller in the NETLOGON share, which automatically replicated the malware across the infrastructure. The ransomware is a Go binary that disables recovery options, terminates security and database processes, and encrypts files using ChaCha20 encryption. It targets a wide range of security and backup applications, aiming to maximize damage to user data while preserving system functionality. The ransom note, embedded in the binary, demands payment in exchange for decryption tools and stolen data. The ransomware's deployment and execution involved creating scheduled tasks and enabling Remote Desktop Protocol access. The attack highlights the importance of monitoring domain controllers and endpoints for unusual activities.

Open in new tab

ComicForm and SectorJ149 Deploy Formbook Malware in Phishing Campaigns Targeting Eurasian and South Korean Organizations

A new hacking group, ComicForm, has been targeting organizations in Belarus, Kazakhstan, and Russia with a phishing campaign since at least April 2025. The campaign primarily targets industrial, financial, tourism, biotechnology, research, and trade sectors. The attacks involve sending phishing emails with malicious executables disguised as PDF documents, which deploy Formbook malware. Additionally, a pro-Russian group, SectorJ149, has been targeting South Korean manufacturing, energy, and semiconductor sectors with similar tactics. The phishing emails from ComicForm use subject lines like "Waiting for the signed document" and contain malicious executables that evade detection by creating scheduled tasks and configuring Microsoft Defender exclusions. The malware includes Tumblr links to harmless comic superhero GIFs, which gave the group its name. SectorJ149's attacks in South Korea involve spear-phishing emails targeting executives and employees, leading to the execution of commodity malware families like Lumma Stealer, Formbook, and Remcos RAT. The group's recent activities are believed to have a hacktivist nature, conveying political or ideological messages.

Open in new tab

GPT-4-Powered MalTerminal Malware Demonstrates LLM-Embedded Capabilities

Cybersecurity researchers have identified MalTerminal, a malware that leverages OpenAI's GPT-4 to generate ransomware code or reverse shells dynamically. This discovery marks the earliest known example of LLM-embedded malware. MalTerminal was presented at the LABScon 2025 security conference and has not been observed in the wild, suggesting it may be a proof-of-concept or red team tool. The malware includes a deprecated OpenAI API endpoint, indicating it was created before November 2023. Accompanying Python scripts and a defensive tool, FalconShield, were also found. The incorporation of LLMs into malware represents a significant shift in adversary tactics, introducing new challenges for defenders. Additionally, threat actors are using LLMs to bypass email security layers by injecting hidden prompts in phishing emails, exploiting AI-powered security scanners. This technique, combined with LLM Poisoning, allows malicious emails to evade detection and execute attack chains.

Open in new tab

Subtle Snail APT Targets Global Telcos and Satellite Operators

Subtle Snail (UNC1549) has conducted a series of cyberattacks against 11 global telecommunications, satellite, and aerospace companies in recent weeks. The attacks, which occurred over a short period, targeted key personnel in these industries using highly customized phishing lures and malware. The primary goals appear to be data theft for research and development and call data records (CDRs) for espionage. The group has been active since at least June 2022, focusing on aerospace, defense, and telecommunications sectors. Their tactics include extensive background research on targets and the use of custom malware, particularly the MiniBike backdoor, which employs modular components to evade detection. The attacks have been observed across the Middle East, Europe, and North America, with victims including major companies serving millions of customers. The group is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). Subtle Snail has expanded its operations to target critical infrastructure organizations in Western Europe, specifically in Denmark, Portugal, and Sweden. The group uses new malware variants, MiniJunk and MiniBrowse, to conduct its attacks. MiniJunk is a highly obfuscated backdoor that provides persistent access to infected systems, while MiniBrowse is a lightweight stealer designed to steal credentials from Chrome and Edge browsers.

Open in new tab

TA558 Delivers Venom RAT via AI-Generated Scripts in Hotel Attacks

TA558, a threat actor tracked as RevengeHotels, has been observed deploying Venom RAT in attacks against hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts in phishing emails to deliver the malware. The attacks aim to capture credit card data from guests and travelers. The threat actor has been active since at least 2015, targeting hospitality and travel organizations in Latin America. The latest campaigns involve phishing emails written in Portuguese and Spanish, using hotel reservation and job application lures. The malware includes anti-kill mechanisms and persistence techniques to ensure uninterrupted operation.

Open in new tab