China-linked hackers use ‘BRICKSTORM’ backdoor to steal IP

Alleged Chinese government hackers are using a new backdoor called BRICKSTORM to gain access to organizations that provide essential services and hold sensitive data.

In a report on Wednesday, incident responders from Google security firm Mandiant said they have responded to “numerous” intrusions since March 2025 involving victims that include legal firms, software-as-a-service providers and technology companies. The goal of the campaign is to steal valuable intellectual property and sensitive data — with a particular focus on the email inboxes of senior company leaders.

Charles Carmakal, CTO of Mandiant Consulting, told Recorded Future News that the BRICKSTORM campaign stood out to his team because of its “sophistication, evasion of advanced enterprise security defenses and focus on high-value targets.”

Carmakal attributed the campaign to a threat actor they refer to as UNC5221 — which was previously accused of abusing vulnerabilities in firewall products from tech company Ivanti.

“The access obtained by UNC5221 enables them to pivot to downstream customers of compromised SaaS providers or discover zero-day vulnerabilities in enterprise technologies which can be used for future attacks,” Carmakal said. 

“We encourage organizations to hunt for BRICKSTORM and other backdoors that may reside on their systems that do not have endpoint detection and response (EDR) coverage." 

The report said the BRICKSTORM backdoor was found on appliances that typically lack traditional endpoint detection and response (EDR) agents.

While UNC5221 has previously been tied to various Chinese state groups like Silk Typhoon and Volt Typhoon, Mandiant said it does not consider it to be the same as those operations. 

Based on evidence obtained from recent investigations, the hackers are targeting law firms in the U.S. to steal information related to U.S. national security and international trade. 

“The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims,” Mandiant explained. 

Long-term focus

The hackers abused Microsoft tools to access mail in any mailbox — at times targeting the mailboxes of developers and system administrators while in other cases, going after the mailboxes of “individuals involved in matters that align with [People's Republic of China] economic and espionage interests.”

Mandiant noted that one of the problems it faced across several investigations is determining how the threat actors initially gained entry to a victim’s system. In most cases, the hackers spent more than a year inside victims' systems, so many of the logs from the initial access event are no longer available. 

At least one incident was tracked back to the exploitation of a zero-day vulnerability in an Ivanti Connect Secure edge device.

For BRICKSTORM, Mandiant found it used primarily on Linux appliances but never Windows devices — despite a variant for those existing. The appliances that were exploited were typically not monitored by a victim’s security team or were not inventoried at all. 

BRICKSTORM was found on many different types of appliances but UNC5221 was seen targeting VMware vCenter and ESXi hosts. In several instances Mandiant saw the hacker move laterally to a vCenter server using credentials that were likely stolen through malware running on other network appliances. 

One sample of BRICKSTORM included a built-in delay timer that had a specific date set for when it would begin to reach out to hacker-controlled tools. 

“Notably, this backdoor was deployed on an internal vCenter server after the victim organization had begun their incident response investigation, demonstrating that the threat actor was actively monitoring and capable of rapidly adapting their tactics to maintain persistence,” Mandiant explained. 

Mandiant found other evidence showing the hackers were able to repeatedly obtain legitimate server administrator credentials — leading incident responders to believe the threat actors had access to tools that could automatically extract and decrypt all credentials.

Incident responders also saw evidence pointing to an obfuscation network built from compromised small office/home office routers but Mandiant said it is unsure of how these routers are being compromised. 

U.S. officials have repeatedly disrupted Chinese botnets composed of compromised home routers.