BRICKSTORM Espionage Campaign | Stinner IT Solutions

Facebook

What is the Attack?

BRICKSTORM is a stealthy, Go-based backdoor deployed by the China-nexus actor UNC5221, enabling long-term persistence and espionage via compromised network appliances in US organizations.

Since March 2025, GTIG (Google Threat Intelligence Group) and Mandiant have tracked BRICKSTORM activity impacting legal services, SaaS, BPO, and technology firms. The campaign suggests objectives beyond espionage — including theft of intellectual property, support for zero-day development, and establishing supply-chain pivot points.

BRICKSTORM capabilities include:

Stealthy persistence by embedding in startup scripts.
Proxying internal/external traffic via SOCKS relay.
Credential theft.
Exfiltration of sensitive data and mailbox access.
Anti-forensics to evade detection.

What is the recommended Mitigation?

Patch & Harden Appliances: Apply vendor updates and restrict outbound connectivity from management interfaces.
Network Monitoring: Watch for unusual DNS-over-HTTPS (DoH) activity or outbound traffic from appliances.
Threat Hunting: Use YARA rules and forensic scans on appliances/backups to detect BRICKSTORM.
Access Controls: Enforce MFA for vCenter and monitor VM cloning activity.
Incident Response: Treat compromised appliances as untrusted and rebuild with verified images.

What FortiGuard Coverage is available?

Antimalware Service: FortiGuard Labs has released AV detections for known BRICKSTORM binaries, webshells, and YARA rules.
Indicators of Compromise (IOCs) and Web Filtering Service:

Implemented protections against malicious traffic and C2 infrastructure observed in this campaign.
Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.
Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.