BRICKSTORM: UNC5221 Espionage Campaign Targeting VMware Infrastructure and Microsoft Identity

BRICKSTORM is a family of cross-platform backdoors attributed to the Chinese state-sponsored threat actor UNC5221, with Linux variants targeting VMware vCenter and ESXi hypervisor infrastructure and Windows variants observed in separate intrusions. The group targets organizations across the government, technology, defense, and legal sectors and has sustained confirmed dwell times exceeding 17 months. At least 12 distinct samples have been identified spanning Go-based, Rust-based, and .NET ahead-of-time compiled variants, reflecting active and ongoing malware development throughout the campaign.

According to GTIG, UNC5221 gains initial access through exploitation of zero-day and recently disclosed vulnerabilities in edge devices, though initial vectors are often unconfirmed due to log retention limits. Using stolen service account credentials, the actor moves via RDP to domain controllers to copy ntds.dit and harvest the full Active Directory credential set. On vCenter, BRICKSTEAL is deployed as a malicious Java Servlet filter that silently captures AD and SSO credentials from Tomcat authentication traffic. The actor also clones virtual machines hosting domain controllers or secrets vaults, mounts the offline filesystems to extract credentials, then destroys the clone without ever powering it on, bypassing any EDR coverage on the guest OS. The actor escalates privileges via sudo, deploys BRICKSTORM to paths mimicking legitimate VMware binaries, and modifies the init script for persistent execution. On Windows hosts, persistence is achieved through scheduled tasks.

BRICKSTORM provides a full remote access capability across the hypervisor filesystem, including file listing, upload, download, and deletion through a covert embedded web server, and also operates as a SOCKS proxy that enables the actor to route lateral movement traffic through the implanted vCenter host without exposing their own infrastructure. Because all file operations execute as internal API calls within the implant rather than spawning child processes, they produce no process creation events or command-line artifacts, making the activity invisible to EDR tooling even on systems where agent coverage exists. Command-and-control communications route through DNS over HTTPS using public resolvers from Cloudflare, Google, Quad9, and NextDNS, with the resolved endpoints reached via HTTPS with WebSocket upgrade and an additional nested TLS layer. C2 traffic is relayed through serverless hosting infrastructure including Cloudflare Workers, Heroku, and sslip.io, blending with legitimate cloud egress and making the connections resistant to blocking. BRICKSTORM also includes a self-watching mechanism that reinstalls the implant if its files are removed.

The actor uses the SOCKS proxy capability to move laterally via SMB to Active Directory Federation Services servers and exfiltrate ADFS token signing certificates, a high-value credential that enables unlimited token forgery against any federated identity provider. UNC5221 also backdoors high-privilege enterprise applications by granting mail.read and full_access_as_app permissions, enabling persistent tenant-wide email collection via Microsoft Graph and Exchange Web Services that survives subsequent credential rotations.