Brickstorm: Long-term Go-based Backdoor Targets US Orgs
🔒 Google researchers report suspected China-linked operators used a Go-based backdoor named Brickstorm to persistently exfiltrate data from U.S. technology, legal, SaaS and BPO organizations, with an average dwell time of 393 days. Brickstorm operated as a web server, file dropper, SOCKS relay and remote command executor while masquerading traffic as legitimate cloud services and targeting edge appliances that often lack EDR. GTIG attributes the activity to UNC5221, a cluster linked to Ivanti zero-day exploitation and custom tools like Spawnant and Zipline. Mandiant published a scanner with YARA rules but cautioned it may not detect all variants or persistence mechanisms.
