BRICKSTORM Espionage Campaign

Blog

Byadmblake October 3, 2025

What is the Attack? BRICKSTORM is a stealthy, Go-based backdoor deployed by the China-nexus actor UNC5221, enabling long-term persistence and espionage via compromised network appliances in US organizations. Since March 2025, GTIG (Google Threat Intelligence Group) and Mandiant have tracked BRICKSTORM activity impacting legal services, SaaS, BPO, and technology firms. The campaign suggests objectives beyond…

What is the Attack?

BRICKSTORM is a stealthy, Go-based backdoor deployed by the China-nexus actor UNC5221, enabling long-term persistence and espionage via compromised network appliances in US organizations.

Since March 2025, GTIG (Google Threat Intelligence Group) and Mandiant have tracked BRICKSTORM activity impacting legal services, SaaS, BPO, and technology firms. The campaign suggests objectives beyond espionage — including theft of intellectual property, support for zero-day development, and establishing supply-chain pivot points.

BRICKSTORM capabilities include:

Stealthy persistence by embedding in startup scripts.
Proxying internal/external traffic via SOCKS relay.
Credential theft.
Exfiltration of sensitive data and mailbox access.
Anti-forensics to evade detection.

What is the recommended Mitigation?

Patch & Harden Appliances: Apply vendor updates and restrict outbound connectivity from management interfaces.
Network Monitoring: Watch for unusual DNS-over-HTTPS (DoH) activity or outbound traffic from appliances.
Threat Hunting: Use YARA rules and forensic scans on appliances/backups to detect BRICKSTORM.
Access Controls: Enforce MFA for vCenter and monitor VM cloning activity.
Incident Response: Treat compromised appliances as untrusted and rebuild with verified images.

What FortiGuard Coverage is available?

Antimalware Service: FortiGuard Labs has released AV detections for known BRICKSTORM binaries, webshells, and YARA rules.
Indicators of Compromise (IOCs) and Web Filtering Service:

Implemented protections against malicious traffic and C2 infrastructure observed in this campaign.
Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.
Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Blog

⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More

Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done. This week’s edition looks at how attackers are changing the game — linking different flaws, working together across borders,…

Read More ⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More
Blog

CISA Adds Five Actively Exploited Vulnerabilities in Advantive VeraCore and Ivanti EPM to KEV List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting Advantive VeraCore and Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. The list of vulnerabilities is as follows – CVE-2024-57968 – An unrestricted file upload vulnerability in Advantive…

Read More CISA Adds Five Actively Exploited Vulnerabilities in Advantive VeraCore and Ivanti EPM to KEV List
Blog

Lumma Stealer Takedown Reveals Sprawling Operation

The FBI and partners have disrupted “the world’s most popular malware,” a sleek enterprise with thousands of moving parts, responsible for millions of cyberattacks in every part of the world.

Read More Lumma Stealer Takedown Reveals Sprawling Operation
Blog

New Reports Uncover Jailbreaks, Unsafe Code, and Data Theft Risks in Leading AI Systems

Various generative artificial intelligence (GenAI) services have been found vulnerable to two types of jailbreak attacks that make it possible to produce illicit or dangerous content. The first of the two techniques, codenamed Inception, instructs an AI tool to imagine a fictitious scenario, which can then be adapted into a second scenario within the first…

Read More New Reports Uncover Jailbreaks, Unsafe Code, and Data Theft Risks in Leading AI Systems
Blog

Critical Site Takeover Flaw Affects 400K WordPress Sites

Attackers are already targeting a vulnerability in the Post SMTP plugin that allows them to fully compromise an account and website for nefarious purposes.

Read More Critical Site Takeover Flaw Affects 400K WordPress Sites
Blog

Data Leak Outs Students of Iran’s MOIS Training Academy

A school for the Iranian state hackers of tomorrow has itself, ironically, been hacked.

Read More Data Leak Outs Students of Iran’s MOIS Training Academy

Related