Find notable cyber news and cases, enriched with sources, timelines, and signals.

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
First reported
Last updated
Happening score
H score 29
2 unique sources, 4 articles

Summary

Hide ▲

BRICKSTORM is a Golang backdoor used by PRC state-sponsored actors to keep long-term persistence on VMware vSphere, Windows, and appliance environments. CISA said the malware supports interactive shell access, file manipulation, HTTPS/WebSockets/TLS/DoH C2, and SOCKS proxy activity, and recent reporting ties it to UNC5221 and Warp Panda in intrusions against U.S. government, legal, SaaS, BPO, technology, and manufacturing targets. The activity has also been associated with access to VMware vCenter and ESXi systems, reflecting a focus on stealthy, durable compromise.

Related Happenings

Lantronix EDS5000 Series devices code-injection flaw (CVE-2025-67038)

Vulnerability
H score43 First: 24.06.2026 20:19 Last: 24.06.2026 20:19 Sources 1

About this happening: **CVE-2025-67038** in **Lantronix EDS5000 Series devices** is now under **active exploitation**, creating a **root-level command execution** risk for affected systems. **CISA** to...

SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)

Vulnerability
H score46 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
H score46 First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
H score37 First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

SilentGlass launch as a monitor-connection protection security device

Security Tool/Service
H score46 First: 22.04.2026 18:00 Last: 22.04.2026 18:00 Sources 1

About this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...

Timeline

  1. 18.02.2026 12:32 4 articles · 4mo ago

    UNC6201 replaces BRICKSTORM with GRIMBOLT

    Technical Analysis Update

    UNC6201 activity on compromised appliances included replacing older BRICKSTORM binaries with GRIMBOLT in September 2025. The newer backdoor kept remote shell capability and the same command-and-control channel as BRICKSTORM while using native AOT-compiled C# code and native-file blending to better evade detection and reduce forensic traces on hosts that often lack EDR coverage. The activity was assessed to target organizations across North America.

    Show sources
  2. 25.09.2025 14:35 1 articles · 9mo ago

    UNC5221-linked BRICKSTORM campaign targets legal, SaaS, technology, and BPO victims

    Campaign Scope Update

    Google Threat Intelligence Group and Mandiant reported that the UNC5221-linked BRICKSTORM campaign had maintained access inside affected legal services, SaaS, technology, and business process outsourcing organizations for an average of 393 days since March 2025, with at least one intrusion likely beginning through an Ivanti product zero-day and later moving to VMware vCenter and ESXi hosts using valid credentials.

    Show sources