BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware Activity
Summary
Hide ▲
Show ▼
BRICKSTORM is a Golang backdoor used by PRC state-sponsored actors to keep long-term persistence on VMware vSphere, Windows, and appliance environments. CISA said the malware supports interactive shell access, file manipulation, HTTPS/WebSockets/TLS/DoH C2, and SOCKS proxy activity, and recent reporting ties it to UNC5221 and Warp Panda in intrusions against U.S. government, legal, SaaS, BPO, technology, and manufacturing targets. The activity has also been associated with access to VMware vCenter and ESXi systems, reflecting a focus on stealthy, durable compromise.
Related Happenings
Lantronix EDS5000 Series devices code-injection flaw (CVE-2025-67038)
Vulnerability
H score43
First: 24.06.2026 20:19
Last: 24.06.2026 20:19
Sources 1
About this happening:
**CVE-2025-67038** in **Lantronix EDS5000 Series devices** is now under **active exploitation**, creating a **root-level command execution** risk for affected systems. **CISA** to...
Lantronix EDS5000 Series devices code-injection flaw (CVE-2025-67038)
VulnerabilityAbout this happening: **CVE-2025-67038** in **Lantronix EDS5000 Series devices** is now under **active exploitation**, creating a **root-level command execution** risk for affected systems. **CISA** to...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
Vulnerability
H score46
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
VulnerabilityAbout this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
H score46
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
SilentGlass launch as a monitor-connection protection security device
Security Tool/Service
H score46
First: 22.04.2026 18:00
Last: 22.04.2026 18:00
Sources 1
About this happening:
The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
SilentGlass launch as a monitor-connection protection security device
Security Tool/ServiceAbout this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
Timeline
-
18.02.2026 12:32 4 articles · 4mo ago
UNC6201 replaces BRICKSTORM with GRIMBOLT
Technical Analysis UpdateUNC6201 activity on compromised appliances included replacing older BRICKSTORM binaries with GRIMBOLT in September 2025. The newer backdoor kept remote shell capability and the same command-and-control channel as BRICKSTORM while using native AOT-compiled C# code and native-file blending to better evade detection and reduce forensic traces on hosts that often lack EDR coverage. The activity was assessed to target organizations across North America.
Show sources
- Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 — thehackernews.com — 18.02.2026 12:32
- Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 — thehackernews.com — 18.02.2026 12:32
- UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors — thehackernews.com — 24.09.2025 17:33
- CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems — thehackernews.com — 05.12.2025 10:14
-
25.09.2025 14:35 1 articles · 9mo ago
UNC5221-linked BRICKSTORM campaign targets legal, SaaS, technology, and BPO victims
Campaign Scope UpdateGoogle Threat Intelligence Group and Mandiant reported that the UNC5221-linked BRICKSTORM campaign had maintained access inside affected legal services, SaaS, technology, and business process outsourcing organizations for an average of 393 days since March 2025, with at least one intrusion likely beginning through an Ivanti product zero-day and later moving to VMware vCenter and ESXi hosts using valid credentials.
Show sources
- Chinese Spies Lurked in Networks for 393 Days, Hunted for Zero-Day Intel — www.securityweek.com — 25.09.2025 14:35