{
	"id": "1a0e3e0b-a557-4d22-b805-719ca63f5321",
	"created_at": "2026-04-29T02:21:37.851564Z",
	"updated_at": "2026-04-29T08:21:29.121643Z",
	"deleted_at": null,
	"sha1_hash": "15bd845a910e1512d6432c27f88ccd80751be13d",
	"title": "Resecurity | F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using BRICKSTORM Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 659625,
	"plain_text": "Resecurity | F5 BIG-IP Source Code Leak Tied to State-Linked\r\nCampaigns Using BRICKSTORM Backdoor\r\nPublished: 2025-10-22 · Archived: 2026-04-29 02:06:35 UTC\r\nOverview\r\nThe China-nexus threat cluster UNC5221 is actively targeting organizations that deploy F5 BIG-IP after a\r\nconfirmed breach of F5 in which a nation-state actor stole internal development data, including portions of BIG-IP\r\nsource code and vulnerability information. On October 15, 2025, CISA issued Emergency Directive ED-26-01,\r\nwarning of an imminent threat to federal networks and ordering urgent inventory, hardening, and patching of\r\naffected F5 devices. The stolen code raises the risk of rapid 0-day discovery and weaponization against internet-exposed management services.\r\nF5 revealed that attackers, discovered on its systems on August 9 and informed customers that the hackers\r\nremained in the company’s network for at least 12 months as reported by Bloomberg. The announcement follows\r\nauthorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach\r\nunder Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.\r\nThe vendor stated that it is not aware of any undisclosed critical or remote code execution vulnerabilities that\r\ncould have been exploited by the attackers, and there is no evidence that any non-public flaws were used in actual\r\nattacks.\r\nAccording to an 8-K form filed with the Securities and Exchange Commission, the company first became aware\r\nof unauthorized access Aug. 9 and initiated standard incident response measures, including enlisting external\r\ncybersecurity consultants. In September, the Department of Justice permitted F5 to withhold public disclosure\r\nof the breach, which the government allows if a breach is determined to be a “a substantial risk to national\r\nsecurity or public safety.”\r\nTechnical Details\r\nResecurity is the first to release the BRICKSTORM backdoor analysis, providing additional details on the\r\ninvolvement of threat actors from China. During our investigation, our team collected multiple artifacts associated\r\nwith UNC5221’s appliance-focused tradecraft. The most relevant items preserved in evidence include:\r\nA statically linked Go ELF backdoor consistent with the BRICKSTORM family\r\nSmall deployment scripts used to stage and persist the backdoor on edge devices.\r\nA servlet filter web component used by the same actor set to harvest credentials post-foothold.\r\nOur analysis below is anchored in static/dynamic review of those artifacts:\r\nhttps://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nPage 1 of 9\n\nThe backdoor is a self-contained, dependency-free executable (Go, linux/amd64) packaged for appliances with\r\nlimited userland; it embeds full web transport (TLS client, HTTP/1.1/HTTP/2 paths, WebSocket upgrade/session\r\nhandling), Yamux for multiplexing many logical streams over one socket, a SOCKS mechanism for TCP\r\npivoting, and a complete multipart/form-data stack for web-looking file staging/exfil.\r\nYamux is a multiplexing library for Golang. It relies on an underlying connection to provide reliability and\r\nordering, such as TCP or Unix domain sockets, and provides stream-oriented multiplexing.\r\nhttps://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nPage 2 of 9\n\nYamux is inspired by SPDY. SPDY was introduced by Google in late 2009 as an experimental protocol to\r\nimprove web performance. However, SPDY was officially deprecated in early 2016.\r\nFor this attack, the attacker used an exploit and deploys an ELF file on the BIG-IP device after gaining code\r\nexecution, configures it to establish outbound TLS that negotiates HTTP/2 and upgrades the connection to\r\nWebSocket for a persistent C2 tunnel, then launches it with operator-supplied C2 parameters to multiplex\r\nconcurrent streams over a single socket via Yamux.\r\nWithin that session the actor enables a SOCKS-style proxy to reach internal applications from the appliance’s\r\nmanagement IP, moves data over the same channel using multipart/form-data with base64/quoted-printable\r\nand compression so exfiltration resembles ordinary web traffic.\r\nhttps://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nPage 3 of 9\n\nWe have noticed there are no hardcoded domains or credentials in the ELF file, which suggests the attackers likely\r\nused a zero-day to gain access and can connect back to the target without issue.\r\nIf an attacker gets code execution (via 0-day or weakly secured services), BRICKSTORM can turn a BIG-IP into\r\na stealth egress point and internal proxy, with minimal logs and long dwell.\r\nThe Origin\r\nOur analysis found attackers leveraging publicly available repositories; portions of the codebase appear to have\r\noriginated from repositories maintained in China. Some of these projects in the repositories are maliciously\r\ndesigned to attack user systems.\r\nhttps://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nPage 4 of 9\n\nUPDATE (December 19, 2025):\r\nhttps://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nPage 5 of 9\n\nThe Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canadian Centre\r\nfor Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators\r\nof compromise (IOCs) and detection signatures for additional BRICKSTORM samples.\r\nThis update provides information on additional samples, including Rust-based samples. These samples\r\ndemonstrate advanced persistence and defense evasion mechanisms, such as running as background services, and\r\nenhanced command and control capabilities through encrypted WebSocket connections.\r\nMITRE ATT\u0026CK Techniques\r\nTactic\r\nTechnique\r\nID\r\nTechnique name Description Evidence / Notes\r\nInitial\r\nAccess\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nCompromise of internet-exposed BIG-IP\r\nmanagement/services to\r\ngain code execution (risk\r\namplified by stolen source\r\nand vuln intel).\r\n0-day discovery and\r\nweaponization;\r\nattacker used an\r\nexploit and deploys\r\nan ELF on BIG-IP.\r\nExecution T1204.002 Malicious File\r\nOperator launches the\r\nELF backdoor on the\r\nappliance with runtime C2\r\nparameters.\r\nDeploys an ELF\r\nfile; launches it with\r\noperator-supplied\r\nC2 parameters.\r\nExecution T1106 Native API\r\nImplant performs\r\nsystem/file/network ops\r\nvia OS/runtime APIs.\r\nSelf-contained\r\nexecutable with full\r\nweb transport and\r\nfile staging/exfil.\r\nPersistence T1543.002\r\nCreate/Modify System\r\nProcess: systemd\r\nCreate/modify a systemd\r\nunit so the implant auto-starts on boot.\r\nModifies systemd\r\nentries for\r\npersistence.\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated/Compressed\r\nFiles \u0026 Info\r\nWraps data in\r\nbase64/quoted-printable\r\nand compression inside\r\nmultipart to evade content\r\ninspection.\r\nmultipart/form-data\r\nwith base64/quoted-printable and\r\ncompression.\r\nDefense\r\nEvasion\r\nT1036 Masquerading\r\nC2/file moves over\r\nHTTP/2 and WebSocket\r\nto blend with normal web\r\ntraffic.\r\nHTTP/2;\r\nWebSocket; web-looking file\r\nstaging/exfil.\r\nhttps://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nPage 6 of 9\n\nTactic\r\nTechnique\r\nID\r\nTechnique name Description Evidence / Notes\r\nCredential\r\nAccess\r\nT1556\r\nModify Authentication\r\nProcess\r\nServlet filter/web\r\ncomponent on adjacent\r\ninfra (e.g., vCenter)\r\ncaptures credentials\r\nduring login.\r\nServlet filter web\r\ncomponent used to\r\nharvest credentials\r\npost-foothold.\r\nLateral\r\nMovement\r\nT1090 Proxy\r\nSOCKS-style proxying\r\nfrom the appliance’s\r\nmanagement IP to reach\r\ninternal services.\r\nEnables a SOCKS-style proxy to reach\r\ninternal\r\napplications.\r\nLateral\r\nMovement\r\nT1572 Protocol Tunneling\r\nMultiplex multiple logical\r\nstreams over a single\r\nTLS/WS socket using\r\nyamux.\r\nMultiplex\r\nconcurrent streams\r\nover one socket via\r\nYamux.\r\nCommand\r\n\u0026 Control\r\nT1071.001 Web Protocols (HTTPS)\r\nPrimary C2 over\r\nTLS/HTTP(S), often\r\nnegotiating HTTP/2\r\n(ALPN h2).\r\nEstablish outbound\r\nTLS that negotiates\r\nHTTP/2.\r\nCommand\r\n\u0026 Control\r\nT1071.004\r\nApplication Layer\r\nProtocol: WebSocket\r\nLong-lived bidirectional\r\nWebSocket tunnel for C2.\r\nUpgrades the\r\nconnection to\r\nWebSocket for a\r\npersistent C2 tunnel.\r\nCommand\r\n\u0026 Control\r\nT1573 Encrypted Channel\r\nTLS protects all C2 and\r\ndata movement.\r\nOutbound TLS;\r\npersistent tunnel.\r\nCommand\r\n\u0026 Control\r\nT1090.003 Multi-hop Proxy\r\nAppliance acts as a stealth\r\negress point into the\r\nenvironment.\r\nTurn a BIG-IP into a\r\nstealth egress point\r\nand internal proxy.\r\nCollection T1005 Data from Local System\r\nStage files locally and\r\nprepare for transfer over\r\nthe C2 channel.\r\nFile staging/exfil\r\nover\r\nmultipart/form-data.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nSend data through the\r\nestablished\r\nTLS/WebSocket channel\r\nusing multipart frames.\r\nMoves data over the\r\nsame channel…\r\nresembles ordinary\r\nweb traffic.\r\nhttps://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nPage 7 of 9\n\nTactic\r\nTechnique\r\nID\r\nTechnique name Description Evidence / Notes\r\nCollection /\r\nPrep\r\nT1560 Archive Collected Data\r\nCompress/encode data\r\nprior to transfer to reduce\r\ndetectability.\r\nCompression +\r\nbase64/quoted-printable within\r\nmultipart.\r\nPatch Now\r\nF5 has disclosed over twenty vulnerabilities spanning BIG-IP (all modules), F5OS (A/C), and BIG-IP Next\r\n(SPK/CNF), with several issues that could enable remote exploitation of internet-exposed management\r\nservices. If you operate any affected versions listed above, treat this as an emergency: remove public exposure\r\nof management planes, restrict egress, and upgrade to the vendor’s latest fixed releases immediately. After\r\npatching, verify that devices no longer match the affected version ranges, re-enable only necessary services, and\r\nmonitor for anomalous HTTP/2/WebSocket egress from appliance subnets.\r\nVulnerability Affected Product\r\nCVE-2025-53868 BIG-IP (all modules)\r\nCVE-2025-61955 F5OS-A; F5OS-C\r\nCVE-2025-57780 F5OS-A; F5OS-C\r\nCVE-2025-60016 BIG-IP (all modules); BIG-IP Next SPK; BIG-IP Next CNF\r\nCVE-2025-48008 BIG-IP (all modules)\r\nCVE-2025-59781 BIG-IP (all modules)\r\nCVE-2025-41430 BIG-IP SSL Orchestrator\r\nCVE-2025-55669 BIG-IP ASM\r\nCVE-2025-61951 BIG-IP (all modules)\r\nCVE-2025-55036 BIG-IP SSL Orchestrator\r\nCVE-2025-54479 BIG-IP PEM; BIG-IP Next CNF\r\nCVE-2025-46706 BIG-IP (all modules)\r\nCVE-2025-59478 BIG-IP AFM\r\nCVE-2025-61938 BIG-IP Advanced WAF/ASM\r\nCVE-2025-54858 BIG-IP Advanced WAF/ASM\r\nhttps://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nPage 8 of 9\n\nVulnerability Affected Product\r\nCVE-2025-58120 BIG-IP Next SPK; BIG-IP Next CNF\r\nCVE-2025-53856 BIG-IP (all modules)\r\nCVE-2025-61974 BIG-IP (all modules); BIG-IP Next SPK; BIG-IP Next CNF\r\nCVE-2025-58071 BIG-IP (all modules); BIG-IP Next CNF\r\nCVE-2025-53521 BIG-IP APM\r\nCVE-2025-61960 BIG-IP APM\r\nCVE-2025-54854 BIG-IP APM\r\nCVE-2025-53474 BIG-IP APM\r\nCVE-2025-61990 BIG-IP (all modules); BIG-IP Next SPK; BIG-IP Next CNF\r\nCVE-2025-58096 BIG-IP (all modules)\r\nCVE-2025-61935 BIG-IP Advanced WAF/ASM\r\nIndicators of Compromise (IOCs)\r\nSHA-256: 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035\r\nFilename: Pg_update\r\nClassification: BRICKSTORM (Go ELF backdoor)\r\nNotes: System/update helper to blend in.\r\nSHA-256: 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df\r\nFilename: Listener\r\nClassification: BRICKSTORM (Go ELF backdoor)\r\nNotes: Listener component; used for C2/socket handling.\r\nSHA-256: aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878\r\nFilename: Vmprotect\r\nClassification: BRICKSTORM (Go ELF backdoor)\r\nNotes: VMProtect Version\r\nSource: https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nhttps://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor"
	],
	"report_names": [
		"f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor"
	],
	"threat_actors": [
		{
			"id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8",
			"created_at": "2024-01-18T02:02:34.643994Z",
			"updated_at": "2026-04-29T06:58:58.254021Z",
			"deleted_at": null,
			"main_name": "UNC5221",
			"aliases": [
				"UNC5221",
				"UTA0178"
			],
			"source_name": "ETDA:UNC5221",
			"tools": [
				"BRICKSTORM",
				"GIFTEDVISITOR",
				"GLASSTOKEN",
				"LIGHTWIRE",
				"PySoxy",
				"THINSPOOL",
				"WARPWIRE",
				"WIREFIRE",
				"ZIPLINE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9",
			"created_at": "2024-01-12T02:00:04.33082Z",
			"updated_at": "2026-04-29T06:58:56.751454Z",
			"deleted_at": null,
			"main_name": "UTA0178",
			"aliases": [
				"Red Dev 61",
				"UNC5221"
			],
			"source_name": "MISPGALAXY:UTA0178",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1777429297,
	"ts_updated_at": 1777450889,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/15bd845a910e1512d6432c27f88ccd80751be13d.pdf",
		"text": "https://archive.orkl.eu/15bd845a910e1512d6432c27f88ccd80751be13d.txt",
		"img": "https://archive.orkl.eu/15bd845a910e1512d6432c27f88ccd80751be13d.jpg"
	}
}