<ciso brief/>
Tag Banner

All news with #unc5221 tag

all tags →

Thu, September 25, 2025

Chinese Group Uses BRICKSTORM Backdoor Against US Firms

#Backdoor Found #VMware #Zero-Day #Active Exploitation #Google #Azure Entra ID #BRICKSTORM #UNC5221

⚠️ Google Threat Intelligence Group says a Chinese-aligned cluster has used the BRICKSTORM backdoor in intrusion campaigns since at least March 2025 against US legal and technology firms, SaaS providers and outsourcing companies. Attackers focused on harvesting emails and files from key individuals and establishing long-term footholds. The group, tracked as UNC5221, exploited zero-days, deployed BRICKSTORM on VMware appliances, and used credential theft and persistence mechanisms to evade detection. Google and partners have published detection guidance and a Mandiant scanner script to help identify infections.

read more →

Thu, September 25, 2025

Chinese Backdoor Grants Year-Long Access to US Firms

#Backdoor Found #BRICKSTORM #UNC5221 #Google #VMware #Microsoft #Data Exfil via Tools #Secrets Exposure

🔐 Chinese state-linked actors deployed a custom Linux/BSD backdoor called BRICKSTORM on network edge appliances to maintain persistent access into U.S. legal, technology, SaaS and outsourcing firms. These implants averaged 393 days of undetected dwell time and were used to pivot to VMware vCenter/ESXi hosts, Windows systems, and Microsoft 365 mailboxes. Mandiant and Google TAG attribute the activity to UNC5221 and have released a scanner and hunting guidance to locate affected appliances.

read more →

Wed, September 24, 2025

Google: Brickstorm malware stole data from U.S. orgs

#Backdoor #Brickstorm #Microsoft Entra ID #Data Exfil via Tools #UNC5221 #Google

🔒 Google researchers warn that the Go-based Brickstorm backdoor was used in prolonged espionage against U.S. technology, legal, SaaS, and BPO organizations, averaging a 393-day dwell time. Suspected activity from the UNC5221 cluster involved deploying the malware on appliances lacking EDR protection such as VMware vCenter/ESXi, where it acted as a web server, SOCKS proxy, file dropper, and remote shell. Operators used techniques like a malicious Java Servlet Filter (Bricksteal), VM cloning, and startup-script modifications to capture credentials and move laterally, then tunneled to exfiltrate emails via Microsoft Entra ID Enterprise Apps. Mandiant published a scanner and YARA rules to aid detection but cautions it may not catch all variants or persistence.

read more →