BRICKSTORM new Windows variant expands targeting of legal and technology sectors

Threat Group – China-nexus UNC5221
Threat Type – Espionage backdoor and post-exploitation toolkit
Exploited Vulnerabilities – Ivanti Connect Secure auth-bypass and command injection (CVE-2023-46805, CVE-2024-21887), Ivanti Connect Secure RCE buffer overflow (CVE-2025-22457), weak edge-appliance hardening, exposed management interfaces, valid-credential reuse
Malware Used – BRICKSTORM backdoor with file-manager UI and network tunnelling; associated tooling and web shells reported in prior phases include WIREFIRE, BRICKSTEAL (vCenter servlet filter), TRAILBLAZE dropper, SPAWN ecosystem utilities
Threat Score – 8.3 🔴 High – Demonstrates year-long dwell time, multi-layered cloud-fronted C2 with DNS-over-HTTPS, reliable persistence across Windows and virtualisation stacks, and a clear mandate for strategic data theft serving future zero-day development.
Last Threat Observation – 26 September 2025

Overview

Fresh, corroborated reporting in the past 24–48 hours confirms an active operational phase of BRICKSTORM tied to the China-nexus cluster UNC5221, now explicitly impacting United States legal and technology organisations. The newest wave centres on a Windows-focused BRICKSTORM variant operating inside enterprise estates for extended periods, with observed average dwell times near 13 months before discovery. The campaign’s tradecraft emphasises patient, low-noise access; cloud-fronted command-and-control; and meticulous credential-led movement through Windows and virtualisation infrastructure.

Consistent with earlier analyses, initial footholds are commonly achieved through exploitation of Internet-facing Ivanti Connect Secure devices (historic zero-days CVE-2023-46805 and CVE-2024-21887; more recently, CVE-2025-22457) before operators pivot into vCenter, ESXi and domain-joined Windows hosts. C2 traffic is multi-layer TLS and DNS-over-HTTPS resolved, frequently fronted by ubiquitous cloud platforms, which frustrates naive DNS and TLS controls. The strategic objective extends beyond immediate data theft. Tasking demonstrably targets intellectual property, product roadmaps and source code to support follow-on exploit discovery and downstream targeting, making UNC5221 a risk multiplier across suppliers and customers.

Key Details

Delivery Method

• Edge-device exploitation – Rapid operationalisation of Ivanti Connect Secure flaws (CVE-2023-46805, CVE-2024-21887) and later CVE-2025-22457 for initial code execution and session hijacking on Internet-facing gateways.
• Credential-driven pivots – Stolen or reused credentials enable lateral movement into Windows AD and VMware management planes, reducing telemetry footprints and blending with legitimate admin activity.
• Post-exploitation implanting – Windows hosts receive the BRICKSTORM executable and configuration. On virtualisation stacks, additional components such as the BRICKSTEAL servlet filter on vCenter support credential harvesting and durable access.

Target

• Sectors – US legal services and technology firms, with prior phases in European industries of strategic interest.
• Intent – Long-term, low-visibility access for strategic data collection including legal strategy, roadmaps and source code, facilitating future zero-day discovery and supply-chain leverage.

Functions

• File management and JSON API – Browse, upload or download, slice-upload and integrity verification.
• Network tunnelling – Multiplexed relays for RDP, SMB and other admin protocols through a single persistent channel.
• Configuration profiles – Auth keys, DoH resolvers, server addresses and optional cloud IP allow-lists to shape egress toward normal-looking destinations.
• Quiet execution model – Many Windows builds omit generic command execution, defeating process-lineage heuristics.

Obfuscation

• DNS-over-HTTPS resolution to public resolvers to deny plaintext DNS visibility.
• Cloud-fronted C2 via common platform-as-a-service endpoints to blend into ubiquitous business egress.
• Nested, multiplexed TLS that collapses all workflows into a single durable session, impeding SNI-based controls and TLS fingerprinting.

Attack Vectors

Initial Access

• Ivanti Connect Secure exploitation – Historic auth-bypass and command-injection chain (CVE-2023-46805, CVE-2024-21887) and, in 2025, CVE-2025-22457 RCE through a stack-based overflow; reporting suggests reverse-engineering of vendor patches to craft exploits against unpatched versions.
• Valid-credential ingress – VPN, RDP and management portals accessed using harvested credentials, often from prior footholds or vCenter credential theft.

Establishment

• Drop and configure BRICKSTORM – Go-based binary (Windows variants active since at least 2022) deployed with minimal config such as auth key, server address and DoH hosts. Persistence typically via Scheduled Tasks or Services.
• Virtualisation abuse – Privileged accounts and vCenter access enable VM cloning for offline extraction of AD databases and secrets without tripping live EDR.

Command and Control

• DoH first – C2 resolution over DoH to well-known resolvers, then upgrade to long-lived TLS with multi-layer multiplexing for file management and tunnels.
• Cloud egress camouflage – SNI and endpoints align with common cloud providers, frustrating coarse egress blocks.

Lateral Movement

• Tunneled admin protocols – RDP and SMB relayed through the implant; activity appears indistinguishable from routine admin work.
• Tool staging via UI or API – Minimalistic file manager used for quiet staging and selective exfiltration to preserve low volume and cadence.

Exfiltration

• Selective, low-volume flow – Staged collection over the same multiplexed channel to cloud-fronted endpoints with traffic patterns deliberately held under DLP thresholds.

Known Indicators of Compromise (IoCs)

Defanged for safe sharing. Replace [.] with . and remove spaces to operationalise.

File Hashes (MD5)

• c65d7f8a ccb5 7a95 e3ea 8a07 fac9 550f
• 8af1c3f3 9b60 072d 4b68 c770 01d5 8109

File Hashes (SHA1)

• b4af963d 43b6 e834 a28a d281 c200 4d34 8a91 b938
• e5751529 7ee7 7c59 5eec 19c0 0b2a 77bb a0f7 1879

File Hashes (SHA256)

• b42159d6 8ba5 8d78 57c0 91b5 acc5 9e30 e50a 854b 15f7 ce04 b6ff f6c1 1cdf 0156
• 42692bd1 3333 623e 9085 d0c1 3265 74a3 391e fcbf 1815 8bb0 4972 f103 c9ee 4a3b 8

Domains

• ms-azure[.]azdatastore[.]workers[.]dev
• ms-azure[.]herokuapp[.]com

Note: UNC5221 purposefully avoids reusing C2 across victims. Treat these as historical exemplars and prioritise behavioural detection over static blocklists.

Mitigation and Prevention

User Awareness

• Educate privileged users and helpdesk on signs of credential misuse and unusual remote-admin prompts.
• Encourage rapid reporting of unexpected VPN behaviour, policy changes or anomalous file-server access.

Email Filtering

• While this campaign is not primarily phishing-led, maintain strong controls that impede credential theft. Enforce DMARC, DKIM and SPF; detonate risky attachments; and apply protective link rewriting.

Antivirus Protection and EDR

• Tune for long-running unsigned processes that establish external connections, especially to cloud provider networks, or that perform DNS-over-HTTPS.
• Ingest DNS, TLS SNI and firewall telemetry and correlate with EDR process lineage. Elevate unsigned processes with no child spawns yet persistent network activity.

Two-Factor Authentication (2FA)

• Enforce phishing-resistant MFA for admins, VPN and management portals.
• Implement Conditional Access and device trust. Block legacy protocols.
• Rotate and compartmentalise service and virtualisation accounts. Prohibit reuse across tenants.

Log Monitoring

• DoH control – Block direct DoH from endpoints to public resolvers and require DNS via monitored corporate resolvers.
• Cloud egress – Monitor for workers[.]dev and suspicious herokuapp[.]com SNI from servers or admin workstations; flag long-duration, low-volume TLS sessions.
• Persistence and tunnels – Alert on Scheduled Tasks or Services launching unsigned Go binaries from %ProgramData%, %WinDir%\Temp and similar.

Regular Updates

• Treat edge-device patching as emergency cadence, not monthly. Verify Ivanti ICS devices are on fixed trains and have integrity checks.
• Patch and harden vCenter and ESXi. Segment management networks and require bastion pathways.

Practical Hunting Playbook

1. DoH outliers – Identify processes issuing DoH to public resolvers from servers and admin workstations; unexpected use is high-signal.
2. Cloud-fronted C2 – Query TLS SNI for workers[.]dev and suspicious herokuapp[.]com subdomains. Prioritise rare processes establishing long-lived sessions.
3. Long-running binaries – List unsigned processes with more than ten days uptime, successful external connections and low prevalence; correlate with lack of child processes.
4. Task Scheduler anomalies – New tasks pointing at %ProgramData% or uncommon paths, binaries around seven to eight megabytes, Go-related strings and web-style endpoints such as /get-file and /put-file.
5. Virtualisation auditing – Review vCenter logs for off-hours VM clone patterns and authentications by high-privilege accounts. Investigate any credential-harvesting filters on login paths.

Risk Assessment

Threat Score: 8.3 🔴 High

Likelihood: Elevated for organisations operating Internet-exposed VPN or gateways and broad developer-centric cloud egress. Valid-credential movement and quiet tunnelling frequently evade commodity detections, supporting extended dwell.

Impact: Severe. Targets include legal strategy, product roadmaps and source code, enabling follow-on exploit development and cascading supply-chain exposure. Persistence within virtualisation layers can survive surface-level remediation if those planes are not explicitly included in incident response.

Exposure factors

• Unpatched or outdated edge appliances.
• Permissive egress to public DoH and platform-as-a-service domains from server networks.
• Weak control and rotation of service or virtualisation accounts.
• Insufficient telemetry retention for long-dwell investigations.

Compensating strengths

• Enforced DNS egress policy and DoH brokering.
• High-fidelity EDR with process-ancestry analytics and rare-process hunting.
• Privileged access management and tiered admin. Bastion-only virtualisation access.
• Regular virtualisation audits and integrity-checked edge-device baselines.

Conclusion

The BRICKSTORM Windows line reinforces UNC5221 as a patient, methodical espionage operator focused on durable access and strategic collection rather than smash-and-grab theft. Multi-layer TLS, DoH resolution and cloud-fronting render simplistic indicator-based defences unreliable. Defenders must emphasise behavioural hunting, robust egress controls and the often-overlooked virtualisation and edge-appliance layers.

Immediate priorities are to validate Ivanti ICS patch levels and integrity, lock down DoH and platform egress from servers, tune EDR for long-running unsigned processes with network activity, and execute the targeted hunts above. Treat any positive findings as potential multi-month intrusions and scope broadly across Windows and VMware estates.

Sources

• BleepingComputer – Google says Brickstorm malware used to steal US orgs’ data for over a year
• The Hacker News – UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors
• Infosecurity Magazine – Chinese Hackers Use ‘BRICKSTORM’ Backdoor to Breach US Firms
• SecurityWeek – Chinese Spies Lurked in Networks for 393 Days Hunted for Zero-Day Intel
• NVISO – NVISO analyzes BRICKSTORM espionage backdoor