China-Linked Hackers Hit US Tech Firms with BRICKSTORM Malware

A group of hackers with links to China has been caught running a long-term spying operation against US companies. Cybersecurity researchers at Mandiant (part of the Google Threat Intelligence Group) are tracking this threat, named BRICKSTORM, which targets specialised operating systems like Linux and BSD (Berkeley Software Distribution).

Mandiant’s investigation shows the group’s mission to steal valuable intellectual property and sensitive information related to national security and international trade. These hackers have maintained access for a worryingly lengthy time, averaging 393 days, mostly targeting the legal services, technology, SaaS, and Business Process Outsourcers (BPOs) sectors since at least March 2025.

Industries targeted by BRICKSTORM (Image credit: Mandiant)

****BRICKSTORM Malware****

The hackers, tracked by Mandiant as UNC5221, which was also behind the widespread exploitation of the Ivanti VPN zero-day in January 2025, use a new and custom-designed Go-language BRICKSTORM malware. In this case as well, the group exploits zero-day vulnerabilities to infect network appliances and servers with malware.

According to Mandiant’s blog post, this initial access is consistently used to move to high-value systems, particularly VMware vCenter and ESXi hosts. To achieve this, the attackers first deploy BRICKSTORM to a network appliance, steal valid credentials, and then move laterally via SSH to the vCenter server

Researchers further explain that BRICKSTORM features SOCKS proxy functionality, enabling attackers to tunnel traffic and move quietly through the network. Once that is complete, they capture high-privilege user logins while using the organisation’s own network devices to hide their activity.

The malware is under active development, using “advanced obfuscation” (like the tool Garble and a custom internal library) to continuously evade security measures.

****What’s the Big Goal?****

Mandiant believes the hackers are focused on long-term objectives, beginning with the compromise of Software as a Service (SaaS) providers and extending to the networks of their customers.

Additionally, a common objective observed in these attacks is to access the emails of critical personnel, particularly system administrators and developers relevant to the economic and espionage interests of the People’s Republic of China (PRC). To infiltrate any mailbox, threat actors employed Microsoft Entra ID Enterprise Applications with elevated access scopes (like mail.read or full_access_as_app).

Mandiant strongly suggests that companies must work on their cybersecurity. The company has also shared a free scanner script on its GitHub page that organisations can use to check their Linux-based systems for the BRICKSTORM backdoor.

****Expert Takeaway****

Ensar Seker, CISO at SOCRadar, reflected on the seriousness of the campaign. In his exclusive insight shared with Hackread.com, Seker stated that BRICKSTORM is a “wake-up call.” He explained that the attackers’ strategy gives them a “multiplier effect on reach” because by getting into service providers, they gain “pathways into their clients and partners.”

Seker emphasised that this operation is about “building capabilities that can support multiple future attacks” by stealing internal designs and learning how to bypass defences. From a defence standpoint, he advises companies to “assume that any vendor they trust may be compromised, not eventually, but right now,” requiring them to adopt stricter security measures and “zero-trust architectures” around vendor connections.

“In a nutshell, Brickstorm is a wake-up call: adversaries are no longer treating high-value firms as endpoints to exploit, but as nodes in a broader intelligence and access network. Defending against that requires that we think in ecosystems and assume compromise, not just for ourselves, but for every connected party,” Seker advised.