Researchers in Google’s Threat Intelligence Group and Mandiant unit have analyzed a recent Chinese cyberespionage campaign where the hackers have managed to dwell in compromised networks for hundreds of days to obtain valuable information.
The attacks involved BrickStorm, a stealthy backdoor used by a Chinese APT tracked as UNC5221 in a 2023 attack targeting MITRE.
The latest BrickStorm campaign was linked by Google researchers to UNC5221, but also to other related Chinese threat actors. While UNC5221 is often reported to be the same as Silk Typhoon, the researchers do not believe them to be the same.
The campaign has been monitored by Mandiant since March 2025, with the attackers targeting industries such as legal services, software-as-a-service (SaaS), technology, and business process outsourcing (BPO).
On average, the cyberspies spent 393 days in the targeted networks. This has in many cases made it difficult for the researchers to establish the initial access vector, but in at least one case the threat actor is believed to have exploited an Ivanti product zero-day vulnerability.
The attackers have deployed the BrickStorm malware on various types of appliances, many of which do not support traditional EDR and other security solutions.
Mandiant has seen BrickStorm on Linux- and BSD-based appliances. Recent reports indicated that a Windows version of the malware has also been around, but Mandiant has not seen it.
“While BRICKSTORM has been found on many appliance types, UNC5221 consistently targets VMware vCenter and ESXi hosts. In multiple cases, the threat actor deployed BRICKSTORM to a network appliance prior to pivoting to VMware systems,” Mandiant explained. “The actor moved laterally to a vCenter server in the environment using valid credentials, which were likely captured by the malware running on the network appliances.”
The latest BrickStorm campaign has been aimed at high-value targets and its goal has not been limited to traditional cyberespionage.
Instead, the Chinese hackers leveraged the access they obtained to pivot to the downstream customers of compromised SaaS providers. In addition, Mandiant believes they have used some of the stolen information to identify zero-day vulnerabilities in enterprise technologies.
“As part of this intrusion campaign, the threat actors are stealing proprietary source code and other intellectual property related to enterprise technologies that many other companies use,” explained Charles Carmakal, CTO, Mandiant Consulting, Google Cloud. “We believe the threat actors are analyzing the stolen source code to find flaws and zero-day vulnerabilities to exploit in enterprise technology products.”
“It’s important to understand there’s direct victims and then there’s downstream organizations. By developing zero-days for these enterprise products, the threat actors can then use them to target downstream companies that use this technology,” Carmakal told SecurityWeek.
Related: Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker
Related: Chinese Silk Typhoon Hackers Targeting Multiple Industries in North America
Related: Web Hosting Firms in Taiwan Attacked by Chinese APT for Access to High-Value Targets
