Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
First reported
Last updated
Happening score
H score 44
2 unique sources, 4 articles

Summary

Hide ▲

BRICKSTORM is a Golang backdoor used by PRC state-sponsored actors to keep long-term persistence on VMware vSphere, Windows, and appliance environments. CISA said the malware supports interactive shell access, file manipulation, HTTPS/WebSockets/TLS/DoH C2, and SOCKS proxy activity, and recent reporting ties it to UNC5221 and Warp Panda in intrusions against U.S. government, legal, SaaS, BPO, technology, and manufacturing targets. The activity has also been associated with access to VMware vCenter and ESXi systems, reflecting a focus on stealthy, durable compromise.

Related Happenings

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

SilentGlass launch as a monitor-connection protection security device

Security Tool/Service
First: 22.04.2026 18:00 Last: 22.04.2026 18:00 Sources 1

About this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...

Open Happening

Payouts King ransomware QEMU reverse SSH backdoor activity

Malware Activity
First: 17.04.2026 22:10 Last: 17.04.2026 22:10 Sources 1

About this happening: **Payouts King ransomware** is using **QEMU** hidden virtual machines and a **reverse SSH backdoor** to keep covert access on compromised hosts and evade endpoint security. The ma...

Open Happening

Dragon Boss Solutions LLC adware malicious update

Malware Activity
First: 16.04.2026 22:07 Last: 16.04.2026 22:07 Sources 1

About this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...

Open Happening

Timeline

  1. 18.02.2026 12:32 4 articles · 3mo ago

    UNC6201 replaces BRICKSTORM with GRIMBOLT

    Technical Analysis Update

    UNC6201 activity on compromised appliances included replacing older BRICKSTORM binaries with GRIMBOLT in September 2025. The newer backdoor kept remote shell capability and the same command-and-control channel as BRICKSTORM while using native AOT-compiled C# code and native-file blending to better evade detection and reduce forensic traces on hosts that often lack EDR coverage. The activity was assessed to target organizations across North America.

    Show sources
    Open in new tab
  2. 25.09.2025 14:35 1 articles · 8mo ago

    UNC5221-linked BRICKSTORM campaign targets legal, SaaS, technology, and BPO victims

    Campaign Scope Update

    Google Threat Intelligence Group and Mandiant reported that the UNC5221-linked BRICKSTORM campaign had maintained access inside affected legal services, SaaS, technology, and business process outsourcing organizations for an average of 393 days since March 2025, with at least one intrusion likely beginning through an Ivanti product zero-day and later moving to VMware vCenter and ESXi hosts using valid credentials.

    Show sources
    Open in new tab