Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors

SUMMARY :

Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology. The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.

OPENCTI LABELS :

linux,windows,zero-day,brickstorm,ssh,vpxd,backup scan,sentinel,silk typhoon,systemconfiguration,unc5221,socks proxy,vcenter


AI COMMENTARY :

1. Introduction

In early 2025, the Google Threat Intelligence Group identified a resurgence of a highly clandestine backdoor known as BRICKSTORM. GTIG’s tracking has revealed ongoing campaigns by an advanced adversary dubbed Silk Typhoon, targeting organizations across the United States. Mandiant Consulting’s response efforts since March 2025 highlight intrusions into legal services firms, SaaS providers, Business Process Outsourcers, and technology companies. The stealth and persistence of BRICKSTORM signal a sophisticated espionage operation designed to harvest sensitive data and establish footholds for future zero-day exploitation and broader attacks on downstream victims.

2. Background on BRICKSTORM

BRICKSTORM first emerged as a Linux-based backdoor leveraging SSH tunnels to maintain covert command and control channels. Over time, the threat actor added Windows support, deploying components that interact with vCenter’s vpxd service to compromise virtualization infrastructures. The malware’s modular design enables operators to conduct backup scans, deploy a custom payload named unc5221, and proxy traffic through a SOCKS interface. This adaptability has complicated detection efforts, allowing adversaries to blend in with legitimate systemconfiguration changes.

3. Targeted Sectors and Strategic Value

The adversary’s choice of legal and technology verticals reflects both the value of proprietary research and the potential for high-impact disruptions. Legal services firms often house privileged communications and intellectual property that can be weaponized in future litigation or sold to highest bidders. SaaS and BPO environments serve as springboards into multiple downstream targets, while technology companies can yield insights into zero-day vulnerabilities and next-generation product roadmaps. By compromising backup processes and virtualization platforms such as vCenter, the threat actor secures persistence and flexible lateral movement across hybrid Linux and Windows estates.

4. Technical Analysis

Upon initial compromise, the operator exploits weak SSH credentials or unpatched remote code vulnerabilities to deploy a lightweight loader. On Linux hosts, the loader writes to critical directories and modifies systemconfiguration scripts to ensure execution at boot. On Windows machines, it leverages Windows Management Instrumentation to interact with vpxd binaries and hide within legitimate vCenter tasks. The payload unc5221 acts as both a file transfer tool and a dynamic socks proxy, channeling data exfiltration through encrypted tunnels. Periodic backup scans identify valuable archives, while intermittent beaconing evades static signature-based defenses and confounds Sentinel deployments.

5. Detection and Mitigation Strategies

Effective defense against BRICKSTORM requires a layered approach. Organizations should enforce rigorous SSH key management, rotate credentials frequently, and monitor for anomalous vCenter API calls. Hardening virtualization hosts with the latest patches will close known vpxd exploits. Continuous log analysis and behavioral baselining can reveal unusual backup scan patterns and unauthorized systemconfiguration changes. Deploying advanced endpoint detection on both Linux and Windows assets, along with threat hunting for unc5221 artifacts, enhances visibility into latent backdoor activity and aids rapid incident response.

6. Conclusion

The resurgence of BRICKSTORM underscores the evolving nature of targeted espionage campaigns against critical legal and technology infrastructures. As Silk Typhoon refines its toolkit to include cross-platform components and stealthy proxy techniques, defenders must adopt proactive monitoring, strict access controls, and comprehensive patch management. Staying vigilant against this stealthy backdoor will help organizations safeguard intellectual property, maintain business continuity, and thwart future zero-day development fueled by stolen data.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors