Chinese Hackers Use ‘BRICKSTORM’ Backdoor to Breach US Firms

The GITG researchers argued that the motivation of these attacks “extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.”

In many occurrences, the threat actors were particularly interested in the emails of key individuals within the victim organizations and sometimes exfiltrated files from these emails.

Google has attributed these campaigns to UNC5221, a Chinese-aligned threat cluster linked to sophisticated capabilities, including the exploitation of zero-day vulnerabilities targeting network appliances.

While other security vendors consider UNC5221 and Silk Typhoon to be the same group, GTIG currently tracks them as two distinct entities.

Sophisticated Campaigns Against US Organizations

The Google report noted that the GTIG investigation into the BRICKSTORM campaigns had been made particularly difficult because of the threat actors’ speed in deploying the full attack chain.

“In many cases, the average dwell time of 393 days exceeded log retention periods and the artifacts of the initial intrusion were no longer available,” the researchers wrote.

Nevertheless, they found that UNC5221 used a range of sophisticated techniques to maintain persistence and minimize the visibility traditional security tools have into their activities.

These include:

Initial access: exploiting zero-day vulnerabilities
Establishing foothold: BRICKSTORM deployment on appliances that do not support traditional endpoint detection and response (EDR) tools (e.g. VMware vCenter and ESXi hosts)
Escalating privilege: In-memory Servlet filter injection, credential harvesting via HTTP basic auth, bypassing MFA protections, VM cloning of critical servers, targeting Delinea Secret Server, execution of automated secret stealer tools
Moving laterally: credential reuse from vaultsand scripts
Establishing persistence: init.d, rc.local, or systemd file changes to ensure BRICKSTORM starts on appliance reboot
Completing mission: exploiting Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes to access the email mailboxes of target accounts

Inside the BRICKSTORM Backdoor

BRICKSTORM Forensics Analysis

BRICKSTORM is a Go backdoor targeting VMware vCenter servers.

According to a previous Google report, published in April 2024, the backdoor supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying.

BRICKSTORM communicates over WebSockets to a hard-coded command-and-control(C2) server.

Upon execution, BRICKSTORM checks for an environment variable, WRITE_LOG, to determine if the file needs to be executed as a child process. If the variable returns false or is unset, it will copy the BRICKSTORM sample from /home/vsphere-ui/vcli to /opt/vmware/sbin as vami-httpd. It will then execute the copied BRICKSTORM sample and terminate execution.

If WRITE_LOG is set to true, it assumes it is running as the correct process, deletes /opt/vmware/sbin/vami-httpd, and continues execution.

BRICKSTORM contains a separate function called Watcher, which contains self-monitoring functionality. If the environment variable WORKER returns false or is unset, it will continue the monitoring, checking for the file /home/vsphere-ui/vcli and copying the contents over to /opt/vmware/sbin/vami-httpd. Then, it sets the appropriate environment variables and spawns the process. The watcher process then begins monitoring the exit status of the child process.

If it finds the environment variable WORKER is set to true, it assumes it is a spawned worker process meant to execute the backdoor functionality and skips the remainder of the Watcher function.

BRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket address of wss://opra1.oprawh.workers[.]dev. Additionally, it contains the following legitimate DNS over HTTPS (DoH) addresses.

BRICKSTORM Deployment

Typically, threat actors deploy the backdoor to a network appliance before pivoting to VMware systems.

The hackers then move laterally to a vCenter server in the environment using valid credentials, which were likely captured by the malware running on the network appliances.

In April 2025, European cybersecurity company NVISO discovered two new BRICKSTORM samples affecting Windows environments.

These samples had been used to spy on European organizations via Windows since at least 2022, NVISO said.

While Google has acknowledged the NVISO report, it said it has not observed BRISTORM Windows-focused variants in any investigation to date.

Google’s Mandiant has released a scanner script that can run on *nix-based appliances and other systems without requiring YARA to be installed.

The tool is designed to replicate a specific YARA rule (G_APT_Backdoor_BRICKSTORM_3) by searching for a combination of strings and hex patterns unique to the backdoor.

azaeo.com – datalake

File fishes formats available in:

Texto JSON JSON-LD XML HTML HTML Source PDF Markdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology: “LLMs” is the correct English acronym for Large Language Models.