Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms

Campaign
First reported
Last updated
Happening score
H score 44
4 unique sources, 6 articles

Summary

Hide ▲

UNC5221 is an active BRICKSTORM espionage campaign targeting U.S. legal services, SaaS providers, BPOs, and technology companies. Recent reporting says the group used Brickstorm and newly described malware Plenet and AgentPSD to keep access to victim environments, including Microsoft 365 and appliances such as Synology NAS, pfSense, and Egnyte Storage Sync. Volexity said the actor stayed inside one victim network for at least 18 months, also compromised the victim’s MSP, and re-entered after remediation using stolen credentials and SSL VPN access. The campaign remains significant because it combines long-term persistence, credential theft, and multi-system lateral movement to sustain espionage access.

Cases

Related Happenings

BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment

Malware Activity
H score40 First: 08.06.2026 13:27 Last: 08.06.2026 13:27 Sources 1

How related: A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems.

About this happening: The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...

UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity

Malware Activity
H score16 First: 05.06.2026 21:09 Last: 05.06.2026 21:09 Sources 1

How related: A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.

About this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...

Calypso telecommunications espionage campaign using Showboat and JFMBackdoor

Campaign
H score36 First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...

Microsoft civil action against Fox Tempest infrastructure takedown

Regulatory/Legal Action
H score24 First: 19.05.2026 18:00 Last: 19.05.2026 18:00 Sources 1

About this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
H score37 First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Timeline

  1. 24.09.2025 17:33 7 articles · 9mo ago

    UNC5221 BRICKSTORM espionage campaign against U.S. legal, SaaS, BPO, and technology firms disclosed

    Initial Disclosure

    Mandiant and Google Threat Intelligence Group described an active China-nexus espionage campaign tracked as UNC5221 that uses the BRICKSTORM backdoor to maintain long-term access to victim organizations, especially U.S. legal services, SaaS providers, Business Process Outsourcers, and technology companies. The operation is linked to prior Ivanti Connect Secure exploitation with CVE-2023-46805 and CVE-2024-21887, has been used against Linux and BSD-based appliances, and includes stealthy persistence, SOCKS proxying, WebSockets command-and-control, and credential theft through the BRICKSTEAL Apache Tomcat servlet filter. Google said the group has responded to several intrusions since March 2025, observed an average dwell time of 393 days, and released a shell script scanner to help identify BRICKSTORM activity on affected systems.

    Show sources