Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors

The BRICKSTORM campaign has demonstrated sustained, stealthy footholds in targets across different sectors within the U.S., aiming for intelligence, IP theft, and as pivot platforms for further infiltration. The actor prioritizes deployment to network or virtualization appliances (systems typically outside the purview of endpoint defenses) to enable long dwell times while minimizing observable telemetry. From these footholds, the adversary moves laterally into VMware vCenter/ESXi environments, often using valid credentials, and in certain cases clones sensitive VMs (e.g. domain controllers) for offline analysis. They also deploy a companion servlet-filter (BRICKSTEAL) in vCenter’s Tomcat to capture credentials in HTTP requests, and exfiltrate email and code repositories using BRICKSTORM’s SOCKS proxy capability and Microsoft 365 mail application permissions.

What stands out about this iteration of BRICKSTORM activity is the increased focus on appliances and virtualization management layers as primary vectors, rather than just endpoints, and the sophistication of adaptive persistence. The threat actor has begun to obfuscate new BRICKSTORM samples via Go obfuscation and embed delayed-activation timers to evade discovery. They demonstrated opportunistic redeployment even mid-incident to re-establish access, showing real-time monitoring of defenders’ actions. Another noteworthy shift is the use of cloud-oriented platforms (e.g. Cloudflare Workers, Heroku) and multiple DNS-over-HTTPS resolvers for C2, with no reuse of domains across victims, elevating their OPSEC and reducing signature reuse risk.

The original blog provides YARA rules and a tool to detect UNC5221 in the network.