UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
Campaign
Summary
Hide ▲
Show ▼
UNC5221 is an active BRICKSTORM espionage campaign targeting U.S. legal services, SaaS providers, BPOs, and technology companies. Recent reporting says the group used Brickstorm and newly described malware Plenet and AgentPSD to keep access to victim environments, including Microsoft 365 and appliances such as Synology NAS, pfSense, and Egnyte Storage Sync. Volexity said the actor stayed inside one victim network for at least 18 months, also compromised the victim’s MSP, and re-entered after remediation using stolen credentials and SSL VPN access. The campaign remains significant because it combines long-term persistence, credential theft, and multi-system lateral movement to sustain espionage access.
Cases
Related Happenings
BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment
Malware Activity
H score40
First: 08.06.2026 13:27
Last: 08.06.2026 13:27
Sources 1
How related:
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems.
About this happening:
The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...
BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment
Malware ActivityHow related: A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems.
About this happening: The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware Activity
H score16
First: 05.06.2026 21:09
Last: 05.06.2026 21:09
Sources 1
How related:
A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.
About this happening:
The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware ActivityHow related: A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.
About this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
H score36
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
H score24
First: 19.05.2026 18:00
Last: 19.05.2026 18:00
Sources 1
About this happening:
Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal ActionAbout this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Timeline
-
24.09.2025 17:33 7 articles · 9mo ago
UNC5221 BRICKSTORM espionage campaign against U.S. legal, SaaS, BPO, and technology firms disclosed
Initial DisclosureMandiant and Google Threat Intelligence Group described an active China-nexus espionage campaign tracked as UNC5221 that uses the BRICKSTORM backdoor to maintain long-term access to victim organizations, especially U.S. legal services, SaaS providers, Business Process Outsourcers, and technology companies. The operation is linked to prior Ivanti Connect Secure exploitation with CVE-2023-46805 and CVE-2024-21887, has been used against Linux and BSD-based appliances, and includes stealthy persistence, SOCKS proxying, WebSockets command-and-control, and credential theft through the BRICKSTEAL Apache Tomcat servlet filter. Google said the group has responded to several intrusions since March 2025, observed an average dwell time of 393 days, and released a shell script scanner to help identify BRICKSTORM activity on affected systems.
Show sources
- UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors — thehackernews.com — 24.09.2025 17:33
- UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors — thehackernews.com — 24.09.2025 17:33
- Chinese Spies Lurked in Networks for 393 Days, Hunted for Zero-Day Intel — www.securityweek.com — 25.09.2025 14:35
- Chinese APT Drops 'Brickstorm' Backdoors on Edge Devices — www.darkreading.com — 25.09.2025 22:05
- CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems — thehackernews.com — 05.12.2025 10:14
- Chinese APT deploys new malware to keep access to hacked networks — www.bleepingcomputer.com — 05.06.2026 21:09
- VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances — thehackernews.com — 08.06.2026 13:27