UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
Campaign
Summary
Hide ▲
Show ▼
UNC5221 is running a BRICKSTORM espionage campaign that has maintained access in victim networks for an average of 393 days and has been active since March 2025. Google Threat Intelligence Group and Mandiant said the operation targets U.S. legal services, SaaS providers, BPOs, and technology companies, and it uses edge appliances that often lack EDR before pivoting to VMware vCenter and ESXi hosts. The actors also abused Microsoft Entra ID enterprise applications for email access and used per-victim C2, delayed-start logic, and obfuscation to stay hidden while stealing source code and other intellectual property that may help expose zero-day vulnerabilities for downstream victims.
Cases
Related Happenings
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
**Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
CampaignAbout this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
Timeline
-
24.09.2025 17:33 5 articles · 8mo ago
UNC5221 BRICKSTORM espionage campaign against U.S. legal, SaaS, BPO, and technology firms disclosed
Initial DisclosureMandiant and Google Threat Intelligence Group described an active China-nexus espionage campaign tracked as UNC5221 that uses the BRICKSTORM backdoor to maintain long-term access to victim organizations, especially U.S. legal services, SaaS providers, Business Process Outsourcers, and technology companies. The operation is linked to prior Ivanti Connect Secure exploitation with CVE-2023-46805 and CVE-2024-21887, has been used against Linux and BSD-based appliances, and includes stealthy persistence, SOCKS proxying, WebSockets command-and-control, and credential theft through the BRICKSTEAL Apache Tomcat servlet filter. Google said the group has responded to several intrusions since March 2025, observed an average dwell time of 393 days, and released a shell script scanner to help identify BRICKSTORM activity on affected systems.
Show sources
- UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors — thehackernews.com — 24.09.2025 17:33
- UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors — thehackernews.com — 24.09.2025 17:33
- Chinese Spies Lurked in Networks for 393 Days, Hunted for Zero-Day Intel — www.securityweek.com — 25.09.2025 14:35
- Chinese APT Drops 'Brickstorm' Backdoors on Edge Devices — www.darkreading.com — 25.09.2025 22:05
- CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems — thehackernews.com — 05.12.2025 10:14