{
	"id": "2523aa82-2296-4c50-af63-8014bb2f799d",
	"created_at": "2026-04-29T02:21:28.181374Z",
	"updated_at": "2026-04-29T08:23:02.303609Z",
	"deleted_at": null,
	"sha1_hash": "0655891aaac49b3f56b9cbbb49343a1e1dc938f9",
	"title": "BRICKSTORM Malware: UNC5221 Targets Tech and Legal Sectors in the United States",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58059,
	"plain_text": "BRICKSTORM Malware: UNC5221 Targets Tech and Legal\r\nSectors in the United States\r\nBy Huseyin Can YUCEEL\r\nPublished: 2025-09-25 · Archived: 2026-04-29 02:10:20 UTC\r\nState-sponsored threat actors that specialize in cyber espionage operate with silence as their defining trait. Their\r\naim is not disruption but invisibility. They infiltrate systems quietly, establish persistence that blends into normal\r\noperations, and exfiltrate valuable data without raising alarms.\r\nBRICKSTORM embodies this approach. First identified in March 2025, the backdoor has been leveraged by the\r\ncluster tracked as UNC5221, designed to persist in environments for months at a time while providing operators\r\nwith stealthy, long-term access. With average dwell times extending nearly a year, BRICKSTORM has\r\nsuccessfully exfiltrated data from legal services, SaaS providers, and technology organizations in the United\r\nStates.\r\nIn this blog post, we explain the Tactics, Techniques, and Procedures (TTPs) used by UNC5221 and how\r\norganizations can defend themselves against BRICKSTORM malware attacks.\r\nSimulate Malware Threats with 14-Day Free Trial of Picus Platform\r\nBrickstorm Malware Explained\r\nBRICKSTORM malware is a cross-platform backdoor attributed to the UNC5221 cluster, a China-nexus APT.\r\nWritten in Go and tailored for appliance and management software environments, the backdoor has variants that\r\nrun on Linux, Windows, and BSD-based devices. BRICKSTORM provides a SOCKS proxy that lets operators\r\ntunnel into internal networks for interactive access and file retrieval, and it accepts web-based commands,\r\nexecuting them on the host and returning output via HTTP responses. Operators routinely modify and obfuscate\r\nsamples (often using Garble) and sometimes embed delayed-start logic so deployed implants remain dormant\r\nuntil after incident responders have left, a tactic that increases the likelihood of long-term, undetected persistence.\r\nUNC5221 mainly targets legal services, Software-as-a-Service providers, business process outsourcers, and\r\ntechnology firms. These verticals provide rich intelligence, access to downstream customers, and intellectual\r\nproperty useful for further exploit development. Initial access is often linked to compromise of perimeter or\r\nremote-access appliances. Once on an appliance, the actor leverages BRICKSTORM for persistent remote access\r\nand uses the malware's SOCKS proxy to reach internal web applications, code repositories, and file shares directly\r\nfrom their workstation. The operator's lateral movement is typically credential-driven. They harvest or extract\r\ncredentials from appliances, password vaults, or intercepted web authentication flows and then use those\r\nlegitimate credentials to access vCenter/ESXi and Windows systems. A recurring and notable operational\r\ntechnique is cloning sensitive virtual machines in vCenter, mounting the clone offline to extract credential stores\r\nsuch as ntds.dit, and then deleting the clone to minimize detection risk.\r\nhttps://www.picussecurity.com/resource/blog/brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states\r\nPage 1 of 6\n\nTTPS Used by BRICKSTORM Malware and the UNC5221 Group\r\nInitial Access\r\nT1190 Exploit Public-Facing Application\r\nBRICKSTORM intrusions frequently begin with the compromise of edge appliances and other public-facing\r\nmanagement interfaces. In at least one documented case, the actor exploited a vulnerability in an appliance to gain\r\nan initial foothold. Exploiting appliances is a recurring pattern because management-plane devices often lack\r\nstandard endpoint telemetry and are retained longer than ordinary servers. This makes appliance exploitation an\r\nattractive vector for a stealthy operator who wants silent, persistent entry. \r\nExecution\r\nT1059 Command and Scripting Interpreter\r\nOnce deployed, BRICKSTORM can accept web-based commands and execute arbitrary OS commands, returning\r\nthe command output in HTTP responses. The backdoor's ability to run commands via HTTP gives operators\r\ninteractive control without needing interactive shells that endpoint tools more readily detect, enabling hands-on\r\ninvestigation, data collection, and targeted actions while remaining difficult to observe from standard host\r\ntelemetry. \r\nPersistence\r\nT1505.003 Server Software Component: Web Shell\r\nIn virtual infrastructure, threat actors installed an in-memory Java Servlet filter called BRICKSTEAL into\r\nvCenter's Tomcat to intercept and decode web authentication flows and harvest credentials. Since it runs in\r\nmemory with no obvious new files, the filter can persist across service cycles and provide stealthy, long-lived\r\naccess to management interfaces.\r\nT1547 Boot or Logon Autostart Execution \r\nUNC5221 establishes persistence by modifying startup scripts or systemd units so the implant survives reboots.\r\nsed -i s/export TEXTDOMAIN=vami-lighttp/export TEXTDOMAIN=vami-lighttp\\n\\/path/to/brickstorm/g\r\n/opt/vmware/etc/init.d/vami-lighttp  \r\nsed -i $a\\SETCOLOR_WARNING=\"echo -en `/path/to/brickstorm`\\\\033[0;33m\" /etc/sysconfig/init\r\nCredential Access  \u0026 Privilege Escalation\r\nT1555 Credentials from Password Stores\r\nhttps://www.picussecurity.com/resource/blog/brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states\r\nPage 2 of 6\n\nUNC5221 operators actively target centralized secret stores and password vaults to harvest high-value credentials.\r\nAfter gaining access to management infrastructure, they move to systems where credentials are aggregated, and\r\nthey extract or decrypt vault contents to obtain service accounts and privileged credentials. This approach yields\r\nbroad access while minimizing noisy behaviors on endpoints. Threat actors commonly target the following\r\npassword stores.\r\nBrowser profile paths: %appdata%\\Mozilla\\Firefox\\Profiles\r\nAppdata locations used to store session tokens: Users\\\u003cusername\u003e\\.azure\\\r\nWindows credential vault: %appdatalocal%\\Microsoft\\Credentials\r\nData Protection API (DPAPI) keys: %appdata%\\Microsoft\\Protect\\\u003cSID\u003e\\\r\nT1003 OS Credential Dumping\r\nUNC5221 has used virtualization management capabilities to clone critical VMs, mount the clones offline, and\r\nextract credential stores such as ntds.dit. By operating against an offline clone, the actor avoids endpoint controls\r\nand behavioral detections that would trigger on the production host, while still obtaining the same high-value\r\nauthentication artifacts like password hashes and cached credentials. After VM cloning and offline extraction,\r\nthreat actors attempted to remove forensic traces.\r\nLateral Movement\r\nT1021.004 Remote Services: SSH\r\nUNC5221 frequently uses SSH to move between appliances and management hosts. After compromising valid\r\naccounts, operators connect over SSH from compromised appliances to vCenter, ESXi hosts, and other internal\r\nsystems to copy files, install tools, and execute commands without spawning obvious interactive shells on\r\nendpoints. In several incidents, the actor enabled SSH remotely via vCenter's VAMI interface, created short-lived\r\nlocal accounts to stage payloads or perform configuration changes, and then removed those accounts to reduce\r\nforensic artifacts. These actions blend into normal administrative operations and reduce the opportunity for\r\ndetection in environments where SSH is a legitimate management channel.\r\nDefense Evasion\r\nT1027 Obfuscated Files or Information\r\nBRICKSTORM malware variants are routinely obfuscated and modified for each victim to bypass signature-based\r\ndetection and static analysis. Operators build Go binaries with obfuscation tooling and strip identifying strings or\r\nsymbols so that malware appearing on disk does not match known indicators. They also design workflows that\r\nminimize disk-resident artifacts like staging or executing components in memory, removing installer files after\r\nexecution, and hiding functionality inside legitimate management processes. The combination of per-victim binary\r\nvariations and in-memory techniques makes detection by traditional file-hash or string-based signatures\r\nunreliable.\r\nhttps://www.picussecurity.com/resource/blog/brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states\r\nPage 3 of 6\n\nCommand and Control\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nBRICKSTORM uses common web protocols to blend command-and-control traffic into routine HTTPS activity,\r\nmaking network-based detection more difficult. The implant periodically issues web requests to third-party\r\nplatforms and developer hosting services and accepts commands and payloads over HTTP/HTTPS, which allows\r\noperators to hide malicious exchanges inside apparently normal encrypted web traffic. The backdoor's SOCKS\r\nproxy capability further amplifies this effect by allowing an operator's workstation to route through the\r\ncompromised appliance and interact directly with internal services, turning the victim into a pivot point for deeper\r\noperations while all outward traffic looks like ordinary web connections.\r\nT1071.004 Application Layer Protocol: DNS over HTTPS\r\nAs an additional layer of stealth, BRICKSTORM has been observed using DNS over HTTPS (DoH) to resolve\r\ncommand-and-control infrastructure and to obscure DNS activity from traditional DNS inspection. DoH\r\nencapsulates DNS queries in HTTPS, which both encrypts resolution traffic and allows it to blend with normal\r\nweb browsing flows, complicating detection and blocking efforts that rely on plain DNS visibility. Operators\r\ncombine DoH with shifting, ephemeral infrastructure like Cloudflare Workers, Heroku, and commercial VPN exit\r\nnodes so that domain resolution and subsequent C2 connections look like routine encrypted web traffic, further\r\nreducing the signal available to defenders.\r\nExfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nBRICKSTORM operators move stolen data out of victim environments using the same covert channels they use\r\nfor command and control so that exfiltration traffic blends with otherwise normal encrypted web connections. \r\nBRICKSTORM leverages SOCKS proxy to pivot an operator's workstation into the target network and then pull\r\nfiles directly from internal shares, code repositories, or endpoints through that tunnel. Since the transfer appears to\r\noriginate from an internal management appliance, it can look like legitimate administrative traffic. Operators also\r\nlayer additional obfuscation by routing egress through commercial VPN providers or ephemeral third-party\r\nplatforms to decouple victims from consistent domains and frustrate IP/domain-based blocking. \r\nIn parallel, the group has abused Microsoft Entra enterprise-app permissions like mail.read and\r\nfull_access_as_app to collect mailbox contents at scale, which is a form of high-volume, targeted data extraction\r\nthat bypasses host-level file transfers entirely.\r\nHow Picus Helps Simulate UNC5221 and BRICKSTORM Backdoor Attacks?\r\nWe also strongly suggest simulating the UNC5221 and BRICKSTORM backdoor attacks to test the\r\neffectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation\r\nhttps://www.picussecurity.com/resource/blog/brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states\r\nPage 4 of 6\n\nPlatform. You can also test your defenses against other malware attacks, such as XZ Utils backdoor,\r\nAndroxgh0st, and StealC, within minutes with a 14-day free trial of the Picus Platform.\r\nPicus Threat Library includes the following threats for UNC5221 and BRICKSTORM backdoor attacks:\r\nThreat ID Threat Name Attack Module\r\n61516 UNC5221 Threat Group Campaign Linux Endpoint\r\n81651 UNC5221 Threat Group Campaign Malware Download Threat Network Infiltration\r\n38486 UNC5221 Threat Group Campaign Malware Email Threat Email Infiltration (Phishing)\r\n95424 BRICKSTORM Backdoor Malware Download Threat  Network Infiltration\r\n85776 BRICKSTORM Backdoor Malware Email Threat Email Infiltration (Phishing)\r\nPicus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to\r\naddress UNC5221 and BRICKSTORM backdoor and other ransomware attacks in preventive security controls.\r\nCurrently, Picus Labs has validated the following signatures for UNC5221 and BRICKSTORM backdoor:\r\nSecurity Control Signature ID Signature Name\r\nCheck Point NGFW 0B789E2F7 Backdoor.Win32.Tesdat.TC.b847onmJ\r\nCheck Point NGFW 0BB84904E Backdoor.Linux.BrickStorm.TC.4310JXYu\r\nCheck Point NGFW 09698A46C Backdoor.Linux.BrickStorm.TC.201bYxCy\r\nCisco FirePower   Elf.Rootkit.RESURGE.tii.Talos\r\nForcepoint NGFW File_Malware-Blocked \r\nhttps://www.picussecurity.com/resource/blog/brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states\r\nPage 5 of 6\n\nFortiGate AV 10210769 Linux/Agent.AHD!tr\r\nFortiGate NGFW 10232948 ELF/Agent.D041!tr\r\nFortiGate NGFW 10232947 ELF/Agent.1FCC!tr\r\nPalo Alto 710626769 trojan/Linux.apitw.a\r\nTrellix 0x4840c900 MALWARE: Malicious File Detected by GTI\r\nStart simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the\r\nPicus Security Validation Platform.\r\nSource: https://www.picussecurity.com/resource/blog/brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states\r\nhttps://www.picussecurity.com/resource/blog/brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.picussecurity.com/resource/blog/brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states"
	],
	"report_names": [
		"brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-29T06:58:57.722959Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8",
			"created_at": "2024-01-18T02:02:34.643994Z",
			"updated_at": "2026-04-29T06:58:58.254021Z",
			"deleted_at": null,
			"main_name": "UNC5221",
			"aliases": [
				"UNC5221",
				"UTA0178"
			],
			"source_name": "ETDA:UNC5221",
			"tools": [
				"BRICKSTORM",
				"GIFTEDVISITOR",
				"GLASSTOKEN",
				"LIGHTWIRE",
				"PySoxy",
				"THINSPOOL",
				"WARPWIRE",
				"WIREFIRE",
				"ZIPLINE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9",
			"created_at": "2024-01-12T02:00:04.33082Z",
			"updated_at": "2026-04-29T06:58:56.751454Z",
			"deleted_at": null,
			"main_name": "UTA0178",
			"aliases": [
				"Red Dev 61",
				"UNC5221"
			],
			"source_name": "MISPGALAXY:UTA0178",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-29T06:58:57.625783Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-29T06:58:58.175809Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1777429288,
	"ts_updated_at": 1777450982,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0655891aaac49b3f56b9cbbb49343a1e1dc938f9.pdf",
		"text": "https://archive.orkl.eu/0655891aaac49b3f56b9cbbb49343a1e1dc938f9.txt",
		"img": "https://archive.orkl.eu/0655891aaac49b3f56b9cbbb49343a1e1dc938f9.jpg"
	}
}