{"id":3007,"date":"2025-09-28T02:52:51","date_gmt":"2025-09-28T02:52:51","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/09\/28\/chinese-hackers-use-brickstorm-backdoor-to-breach-us-firms\/"},"modified":"2025-09-28T02:52:51","modified_gmt":"2025-09-28T02:52:51","slug":"chinese-hackers-use-brickstorm-backdoor-to-breach-us-firms","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/28\/chinese-hackers-use-brickstorm-backdoor-to-breach-us-firms\/","title":{"rendered":"Chinese Hackers Use ‘BRICKSTORM’ Backdoor to Breach US Firms"},"content":{"rendered":"
\n
\n

Chinese cyber threat actors are suspected of deploying a recently identified backdoor to get a foothold into the systems of US organizations across various sectors.<\/p>\n

According to a Google Threat Intelligence Group (GTIG) report, published on September 24, threat actors have been using the backdoor known as \u2018BRICKSTORM\u2019 in intrusion campaigns since at least March 2025.<\/p>\n

The primary targets are US legal and tech firms, software-as-a-service (SaaS) providers and outsourcing companies.<\/p>\n<\/p><\/div>\n

\"BRICKSTORM
BRICKSTORM targeting. Source: Google<\/figcaption><\/figure>\n
\n

The GTIG researchers argued that the motivation of these attacks \u201cextends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.\u201d<\/p>\n

In many occurrences, the threat actors were particularly interested in the emails of key individuals within the victim organizations and sometimes exfiltrated files from these emails.<\/p>\n

Google has attributed these campaigns to UNC5221, a Chinese-aligned threat cluster linked to sophisticated capabilities, including the exploitation of zero-day vulnerabilities targeting network appliances.<\/p>\n

While other security vendors consider UNC5221 and Silk Typhoon to be the same group, GTIG currently tracks them as two distinct entities.<\/p>\n

Sophisticated Campaigns Against US Organizations<\/strong><\/h2>\n

The Google report noted that the GTIG investigation into the BRICKSTORM campaigns had been made particularly difficult because of the threat actors\u2019 speed in deploying the full attack chain.<\/p>\n

\u201cIn many cases, the average dwell time of 393 days exceeded log retention periods and the artifacts of the initial intrusion were no longer available,\u201d the researchers wrote.<\/p>\n

Nevertheless, they found that UNC5221 used a range of sophisticated techniques to maintain persistence and minimize the visibility traditional security tools have into their activities.<\/p>\n

These include:<\/p>\n

    \n
  1. Initial access:<\/strong> exploiting zero-day vulnerabilities<\/li>\n
  2. Establishing foothold:<\/strong> BRICKSTORM deployment on appliances that do not support traditional endpoint detection and response (EDR) tools (e.g. VMware vCenter and ESXi hosts)<\/li>\n
  3. Escalating privilege:<\/strong> In-memory Servlet filter injection, credential harvesting via HTTP basic auth, bypassing MFA protections, VM cloning of critical servers, targeting Delinea Secret Server, execution of automated secret stealer tools<\/li>\n
  4. Moving laterally:<\/strong> credential reuse from vaults\u00a0and scripts\u00a0<\/li>\n
  5. Establishing persistence:<\/strong> init.d, rc.local, or systemd file changes to ensure BRICKSTORM starts on appliance reboot<\/li>\n
  6. Completing mission:<\/strong> exploiting Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes to access the email mailboxes of target accounts<\/li>\n<\/ol>\n

    Inside the BRICKSTORM Backdoor<\/strong><\/h2>\n

    BRICKSTORM Forensics Analysis<\/strong><\/h3>\n

    BRICKSTORM is a Go backdoor targeting VMware vCenter servers.<\/p>\n

    According to a previous Google report, published in April 2024, the backdoor supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload\/download, run shell commands, and perform SOCKS relaying.<\/p>\n

    BRICKSTORM communicates over WebSockets to a hard-coded command-and-control\u00a0(C2) server.<\/p>\n

    Upon execution, BRICKSTORM checks for an environment variable, WRITE_LOG, to determine if the file needs to be executed as a child process. If the variable returns false or is unset, it will copy the BRICKSTORM sample from \/home\/vsphere-ui\/vcli to \/opt\/vmware\/sbin as vami-httpd. It will then execute the copied BRICKSTORM sample and terminate execution.<\/p>\n

    If WRITE_LOG is set to true, it assumes it is running as the correct process, deletes \/opt\/vmware\/sbin\/vami-httpd, and continues execution.<\/p>\n

    BRICKSTORM contains a separate function called Watcher, which contains self-monitoring functionality. If the environment variable WORKER returns false or is unset, it will continue the monitoring, checking for the file \/home\/vsphere-ui\/vcli and copying the contents over to \/opt\/vmware\/sbin\/vami-httpd. Then, it sets the appropriate environment variables and spawns the process. The watcher process then begins monitoring the exit status of the child process.<\/p>\n

    If it finds the environment variable WORKER is set to true, it assumes it is a spawned worker process meant to execute the backdoor functionality and skips the remainder of the Watcher function.<\/p>\n

    BRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket address of\u00a0 wss:\/\/opra1.oprawh.workers[.]dev. Additionally, it contains the following legitimate DNS over HTTPS (DoH) addresses.<\/p>\n

    BRICKSTORM Deployment<\/strong><\/h3>\n

    Typically, threat actors deploy the backdoor to a network appliance before pivoting to VMware systems.<\/p>\n

    The hackers then move laterally to a vCenter server in the environment using valid credentials, which were likely captured by the malware running on the network appliances.<\/p>\n

    In April 2025, European cybersecurity company NVISO discovered two new BRICKSTORM samples affecting Windows environments.<\/p>\n

    These samples had been used to spy on European organizations via Windows since at least 2022, NVISO said.<\/p>\n

    While Google has acknowledged the NVISO report, it said it has not observed BRISTORM Windows-focused variants in any investigation to date.<\/p>\n

    Google\u2019s Mandiant has released a scanner script that can run on *nix-based appliances and other systems without requiring YARA to be installed.<\/p>\n

    The tool is designed to replicate a specific YARA rule (G_APT_Backdoor_BRICKSTORM_3) by searching for a combination of strings and hex patterns unique to the backdoor.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

    Chinese cyber threat actors are suspected of deploying a recently identified backdoor to get a foothold into the systems of US organizations across various sectors. According to a Google Threat Intelligence Group (GTIG) report, published on September 24, threat actors have been using the backdoor known as \u2018BRICKSTORM\u2019 in intrusion campaigns since at least March<\/p>\n","protected":false},"author":2,"featured_media":3008,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3007","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3007-97d38db7-e59a-4902-9876-ffb55b6f237e-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3007"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3007\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3008"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3007"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}