Google recently reported that a Chinese-linked hacking group used stealth malware to steal sensitive data from U.S. organizations for over 12 months.
Google’s Threat Intelligence Group (GTIG) has revealed a long-term espionage campaign involving Brickstorm, a malware used by the Chinese-affiliated threat group UNC5221. The malware targeted U.S. organizations in the technology, legal, and business outsourcing sectors, with an average undetected presence, also known as “dwell time,” of 393 days.
Brickstorm functioned as a multi-purpose backdoor, allowing attackers to exfiltrate data, execute remote commands, and maintain persistence on compromised networks. The malware was first documented by Google in April 2024, but had already been active in victim environments for over a year by that point.
The malware’s deployment primarily affected systems not protected by endpoint detection and response (EDR) tools, including VMware vCenter and ESXi servers. Brickstorm communicated with command-and-control servers disguised as legitimate traffic, including Cloudflare and Heroku domains.
Once access was established, attackers escalated privileges using a malicious Java Servlet Filter (known as Bricksteal), cloned virtual machines to harvest private information, and modified Linux startup scripts to enable persistent access. The primary goal of the operation was to exfiltrate email data and code repositories, especially from developers and IT administrators connected to areas of strategic interest to China.
Investigators noted that Brickstorm operations were highly evasive. The malware was often removed after use, and attackers rarely reused the same infrastructure, which made forensic investigation difficult. While Google could not confirm the exact point of entry, researchers suspect the initial access involved exploiting zero-day vulnerabilities in edge-facing devices.
Google attributed the campaign to UNC5221, a threat group previously known for targeting government systems using Ivanti zero-days and deploying malware like Spawnant and Zipline. GTIG also noted the group’s continued use of anti-forensics tools and unpredictable command-and-control infrastructure.
To aid defenders, Mandiant released a scanner script that includes YARA rules for detecting Brickstorm, Bricksteal, and Slaystyle malware. However, the company warned that the tool may not detect all variants or provide full coverage of compromise indicators.
The 393-day undetected presence of the Brickstorm malware exposes a deeper systemic weakness: organizations across every sector remain vulnerable to persistent, hard-to-spot threats. That level of access mirrors trends seen in healthcare, where breaches took an average of 224 days to detect and another 84 to contain, nearly a full year. Paubox reports note that these long detection windows exist because “system and process failures rarely surface until a breach exposes them, and by then, the damage is already done.” Adding to the risk, today’s threats are far more sophisticated. As the report explains, “phishing attacks have become faster, more personalized, and often powered by AI.” Security experts warn that any organization still relying on static defenses has already made itself an easy target.
The malware was deployed on systems that lacked EDR capabilities, used anti-forensics techniques, and mimicked legitimate network traffic, which allowed it to operate invisibly for extended periods.
Edge devices like VPNs, firewalls, and virtualization appliances are connected to the internet but often run proprietary operating systems with limited security tooling, making them difficult to monitor.
Bricksteal is a malicious Java Servlet Filter that captures credentials from vCenter servers, enabling privilege escalation and lateral movement within virtualized environments.
These providers often serve multiple clients, so compromising them can give attackers access to downstream victims, including sensitive systems and data across industries.
No. The scanner helps detect known indicators of compromise, but doesn’t check for persistence methods or assess device vulnerabilities. A broader security audit is still required.