They slept on networks for 393 days! Chinese state hackers and the BRICKSTORM backdoor – Against Invaders – Notícias de CyberSecurity para humanos.

They slept on networks for 393 days! Chinese state hackers and the BRICKSTORM backdoor - Against Invaders - Notícias de CyberSecurity para humanos.

Redazione RHC:25 September 2025 14:29

According to Google Threat Intelligence , the China-linked espionage group UNC5221 has carried out a series of successful intrusions into corporate networks since March of this year, exploiting previously unknown vulnerabilities in Ivanti products.

The attacks involved the introduction of backdoors that allowed attackers to maintain access to victims’ infrastructure for an average of 393 days.

Experts have attributed the actions to the UNC5221 group and other related Chinese cyberespionage groups. According to the report , UNC5221 began actively exploiting vulnerabilities in Ivanti devices as early as 2023. Google emphasizes that this group is not associated with Silk Typhoon (formerly Hafnium), suspected of hacking the U.S. Treasury Department in December.

This is a financially motivated (FIN) or state-sponsored APT group, although the origin of UNC5221 clearly indicates state support. Since spring 2025, Mandiant experts have responded to incidents related to this group across a wide range of industries, from law firms to SaaS providers and corporate outsourcing companies. In most cases, the attackers used a specially developed backdoor, BRICKSTORM, implanted in devices that do not support traditional detection methods (EDR).

This allowed the attackers to slip through unnoticed: organizations’ security systems simply didn’t detect the malicious activity. To help identify infections, Google released a free scanning tool that doesn’t require YARA installation and is suitable for Linux and BSD-based systems .

It looks for signatures and unique patterns in the code that are characteristic of BRICKSTORM. Mandiant representatives emphasize that the number of infections could become significant once organizations begin mass scanning their devices: the effects of this campaign are expected to be evident over the next one to two years.

In at least one case, state-run hackers gained access to Ivanti Connect Secure via a zero-day vulnerability. While Google did not specify the specific vulnerability, researchers had previously linked UNC5221 to the active exploitation of CVE-2023-46805 and CVE-2024-21887, both of which were only publicly disclosed in January 2024.

After penetrating the network, the attackers installed BRICKSTORM, a malware written in Go and equipped with proxy functionality (SOCKS). Although a Windows version is mentioned , Mandiant experts have not observed it directly; evidence of this modification is indirect. Indeed, the malware has been detected on Linux and BSD devices, including network devices from various manufacturers.

UNC5221 regularly attacks VMware vCenter servers and ESXi hosts, often starting on edge devices and then using stolen credentials to penetrate deeper into the network. In one attack, BRICKSTORM was introduced into vCenter after the incident investigation began, demonstrating the adversary’s ability to adapt in real time and monitor defenders’ actions . The malware was also modified, using Garble obfuscation tools, custom wssoft libraries, and, in one case , a timer to delay activity until a specific date.

Additionally, in several cases, the attackers used additional malware: BRICKSTEAL , a malicious Java Servlet filter for Apache Tomcat that runs within the vCenter web interface. It intercepts HTTP Basic Auth headers, extracting login and password data, including domain credentials if the organization uses Active Directory. Installing a filter typically requires configuration changes and a server reboot, but in this case, the attackers used a special dropper that injected code into memory without rebooting the server, further improving stealth.

As part of the attacks, the attackers also gained access to the email accounts of key employees: developers, system administrators, and other specialists whose activities could be of interest to Chinese economic or intelligence interests. To do so, they exploited Microsoft’s Entra ID corporate applications with mail.read or full_access_as_app privileges, allowing access to any email within the organization.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli

azaeo.com – datalake

File fishes formats available in:

TextoJSONJSON-LDXMLHTMLHTML SourcePDFMarkdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.