BRICKSTORM Espionage Campaign: Appliance Targets and VMware Pivot

A stealthy, long-running espionage campaign that researchers have named BRICKSTORM has quietly infiltrated high-value organizations across the technology and legal sectors, maintaining extremely long dwell times and using novel techniques to hide on devices that traditional defenses often ignore. Security teams at Google’s Threat Intelligence Group and Mandiant have linked the activity to the cluster tracked as UNC5221, and their analysis shows the backdoor is optimized to live on appliance-class systems, pivot to VMware management infrastructure, and siphon high-privilege secrets while leaving minimal telemetry for defenders to chase.

Background / Overview​

BRICKSTORM is a cross-platform backdoor written primarily in Go, with capabilities that include file-system manipulation, remote shell execution, and a built-in SOCKS proxy for tunneling internal access. The campaign was first observed in investigations beginning in March 2025 and has since been associated with intrusions into legal services, SaaS providers, business process outsourcers (BPOs), and broader technology companies — sectors that provide access not only to intellectual property but to downstream customer environments and potential zero-day discovery.
Two characteristics make BRICKSTORM particularly dangerous for enterprises: its preference for network appliances and hypervisor management systems (which are often outside endpoint detection and response coverage), and its consistent use of operational tradecraft that minimizes log generation and forensic artifacts. In practice, this means incidents can persist for months or even years before discovery, a dynamic that has serious implications for confidentiality and trust in multi-tenant or provider ecosystems.

---

What researchers found: high-level findings​

• Attribution: Activity is tracked to UNC5221, a China-nexus threat cluster that GTIG and Mandiant are treating as distinct from, but overlapping with, other known clusters.
• Average dwell time: The actors have maintained persistent access for an average of 393 days in observed intrusions, underscoring their patience and focus on long-term intelligence collection.
• Primary tactics: Compromise of perimeter appliances (VPN, access devices, management appliances), lateral movement to VMware vCenter/ESXi, deployment of a malicious Java Servlet filter (tracked as BRICKSTEAL) to harvest vCenter credentials, and use of SOCKS tunneling to exfiltrate and interact with internal systems.
• Active development: Samples show active maintenance and evolution — including Garble obfuscation of Go binaries, use of a custom wssoft library, and even a sample with a hard-coded delay timer that waits until a future date before beaconing.

---

Technical analysis: how BRICKSTORM operates​

Persistence on appliances and why that matters​

BRICKSTORM’s designers deliberately install the backdoor on devices that typically do not run enterprise EDR agents: network edge appliances, VPN concentrators, load balancers, and other appliance-class systems. These devices commonly run specialized variants of Linux or BSD and often have limited logging, short retention windows, or logs that are not forwarded to central SIEMs. As a result, an implant can live on such devices with little detection coverage and use them as footholds for lateral movement.
Many organizations treat perimeter appliances as “set-and-forget” infrastructure. This campaign shows why that mental model is a critical blind spot: appliances with privileged network position and administrative reach can be leveraged to harvest credentials, enable remote management, and ultimately pivot into virtualization management layers that control large segments of enterprise assets.

BRICKSTEAL and the vCenter compromise​

One of the most striking techniques observed is the deployment of a malicious Java Servlet filter — tracked by defenders as BRICKSTEAL — into the Apache Tomcat instance that serves VMware vCenter’s web interface. A servlet filter runs on every HTTP request to certain URIs; in these incidents BRICKSTEAL was designed to intercept authentication traffic and decode HTTP Basic Authorization headers targeting vCenter login URIs (for example, SAML/SSO endpoints), thereby capturing credentials used for Active Directory-backed vCenter logins. Because users logged into vCenter often hold enterprise-wide privileges, this capture vector yields a powerful credential collection capability.
The intruders used credentials captured by BRICKSTEAL to clone Windows Server virtual machines — often ones containing critical artifacts such as Active Directory Domain Services (ntds.dit), SSO identity providers, and secret vault contents. Crucially, the cloned VMs were not powered on, allowing attackers to extract files directly from copied virtual disk images without interacting with the live system; this can avoid many endpoint and server-level detection mechanisms.

Lateral movement, SOCKS proxying, and stealthy comms​

BRICKSTORM contains a SOCKS proxy implementation that the operator can use to tunnel from attacker workstations into the victim’s internal network via the compromised appliance. This feature enables direct interaction with internal resources — code repositories, identity services, mailboxes, or vaults — without exposing normal external connections that would typically trigger detection. The malware also attempts to blend its C2 traffic with legitimate cloud services (Cloudflare, Heroku) and uses dynamic domain resolution services (sslip.io, nip.io) in some samples.

Anti-forensics and deliberate stealth features​

Mandiant’s analysis shows several deliberate anti-forensic behaviors:

• In-memory modifications: BRICKSTEAL was installed in some cases via a dropper that modified application state in memory, avoiding a Tomcat restart and making filesystem-based indicators harder to spot.
• Obfuscation: Some samples are obfuscated with the Go obfuscator Garble, and investigators found a new custom wssoft library used across variants — both signs of active development to thwart static detection.
• Time-delayed activation: At least one sample contained a hard-coded future activation date, preventing immediate beaconing and complicating detection timelines.
• Removal after exfiltration: In multiple cases, the adversary removed traces of BRICKSTORM from live systems after achieving objectives; detection only occurred later via backup image forensics.

These techniques collectively reduce the effectiveness of signature-based scanning and typical SIEM alerts, making a TTP-focused hunt approach essential.

---

The attack chain in practice: step-by-step​

• Initial access: compromise a perimeter appliance (e.g., VPN, VPN gateway, remote access appliance), sometimes via a zero-day vulnerability such as those historically exploited in Ivanti Connect Secure. Evidence from multiple investigations suggests exploitation of appliance vulnerabilities has been used at least in some intrusions.
• Install BRICKSTORM on the compromised appliance, preserving stealth and avoiding wide logging footprints.
• Harvest credentials via appliance-resident malware or by injecting BRICKSTEAL into VMware vCenter to capture HTTP Basic authentication headers for vCenter web logins.
• Move laterally to VMware vCenter/ESXi using stolen credentials. Enable features or create cloned VMs to extract sensitive artifacts (e.g., ntds.dit) without powering the clones on.
• Use BRICKSTORM’s SOCKS relay to interact with internal systems, and use Microsoft Entra ID enterprise application permissions to access mailboxes (mail.read or full_access_as_app) for bulk email exfiltration from targeted personnel.
• Erase traces from live systems and, where possible, remove samples to impede remediation and forensic review.

---

Who was targeted — the strategic logic​

Targets include law firms, SaaS providers, BPOs, and technology companies. These sectors are attractive for three strategic reasons:

• They hold high-value intellectual property and sensitive legal materials. Access to legal matter files and attorney communications can provide political, economic, and proprietary advantage.
• They serve as downstream pivot points: access to a SaaS provider or service bureau can be used to reach multiple customers and harvest zero-day intelligence against broader ecosystems.
• They contain privileged developer and administrative accounts, which map to broader enterprise trust boundaries and can be re-used to move laterally and escalate privileges.

The adversary’s mailbox targeting — focusing on developers, system administrators, and personnel involved in PRC economic interests — aligns with a campaign designed for long-term intelligence collection rather than quick financial theft.

---

Detection and response: Mandiant’s scanner and guidance​

Mandiant has published a specialized scanner script designed to run on nix-based appliances that may lack YARA and EDR coverage. The utility attempts to match BRICKSTORM-specific signatures by searching for a combination of strings and hex patterns that emulate a YARA rule. It is explicitly not* a silver bullet: Mandiant warns the tool will not detect all variants, will not guarantee detection of every compromise, and does not assess whether a device remains vulnerable to initial exploitation.
Key practical detection recommendations from the published guidance include:

• Hunt for anomalous modifications to startup scripts (init.d, systemd) and unexpected enabling of services like SSH on ESXi hosts.
• Inspect vCenter for unexpected servlet filters, web module tampering, and in-memory modifications that would indicate an injected BRICKSTEAL filter.
• Hunt for signs of cloned VM creation or unexpected snapshots and image copies; examine offline VM images for artifacts such as ntds.dit extraction.
• Perform mailbox access reviews for service principals and enterprise application permissions in Microsoft Entra ID (OAuth app scopes like mail.read or full_access_as_app).

These guidance points are explicitly TTP-centric, recognizing that IOCs tied to specific domains or file hashes will rapidly decay as the adversary rotates infrastructure and binaries.

---

Critical appraisal: technical strengths and defensive gaps​

Strengths of the adversary’s approach​

• Appliance-focus: Exploiting appliances and management planes is a force-multiplier; these devices sit at chokepoints and are often exempt from the same telemetry as endpoints. That grants stealth and persistence.
• Live-memory manipulation: Installing in-memory servlet filters or using dropper techniques that avoid restarts reduces file-system indicators and complicates automated scanning.
• Evasion via bespoke tooling: Use of Garble obfuscation, custom wssoft libraries, and per-victim unique C2 domains decreases the value of static signatures and IOCs.
• Operational patience: Long dwell times and delayed activation of some payloads show the group prioritizes careful observation and extraction over noisy exploitation.

Defensive weaknesses exposed​

• Inadequate appliance telemetry: Many organizations do not ingest appliance logs into SIEMs or retain them long enough to support retrospective analysis for year-long dwell times.
• VM management blind spots: Organizations frequently treat vCenter as an administrative service rather than a sensitive asset to be treated with the same rigor as domain controllers or identity services. That blind spot enables credential capture and cloning operations.
• Over-reliance on signatures: The adversary’s per-victim uniqueness of binaries and domains, plus use of obfuscation, degrades the effectiveness of signature-based detection unless paired with proactive TTP hunting.

---

Mitigation checklist: prioritized, actionable steps​

• Inventory and monitor appliances: ensure all perimeter and management appliances forward logs to centralized collection and have retention policies commensurate with threat model timelines.
• Harden VMware management: restrict vCenter access with strong MFA, dedicated administrative jump hosts, and monitoring for servlet or web-module changes.
• Audit service principals: review Microsoft Entra ID enterprise applications and OAuth app permissions (mail.read, full_access_as_app) and revoke or re-scope any app permissions that appear excessive.
• Hunt for clones and offline images: scan backup and VM image stores for unexpected new clones or snapshots, and review recent cloning activity in vSphere logs and backup tools.
• Run the scanner: execute Mandiant’s appliance scanner on any eligible *nix- or BSD-based appliances as part of a wider hunt program, but treat results as indicative rather than definitive.
• Apply vendor patches: ensure appliances (Ivanti, Citrix, other remote-access devices) are patched according to vendor advisories; where zero-days were exploited in the past, prioritize compensating controls and network segmentation.

---

Broader implications: espionage, zero-day harvesting, and supply-chain reach​

The choice of targets implies objectives that extend beyond simple IP theft. Access to legal counsel communications, developer repositories, and SaaS provider environments offers multiple intelligence levers:

• Legal intelligence can inform economic and geopolitical strategy through early visibility into deals, litigation, or regulatory actions.
• Zero-day discovery: Persistent access to appliance codebases and logs may enable attackers to discover new vulnerabilities in third-party infrastructure that they can weaponize or sell.
• Supply-chain pivoting: Compromise of a SaaS provider or BPO can yield access to multiple downstream victims, amplifying the strategic impact of a single intrusion.

These implications make BRICKSTORM not only a tactical concern for incident responders, but a strategic issue for risk officers and executives who must weigh downstream exposure and the long-term integrity of trust relationships with vendors and service providers.

---

What we do — and don’t — know (uncertainties and caution)​

• Some third-party responders have reported Windows variants of BRICKSTORM and suggested usage going back to 2022, but Mandiant has stated it has not directly observed the Windows variants in their cases. This disparity indicates variability in available telemetry and sample sets, so timeline and platform coverage should be treated cautiously until corroborated across multiple incident response datasets.
• Attribution to UNC5221 is based on technical linkages and TTP overlap; however, public reporting shows industry groups are treating cluster definitions carefully and avoiding overly broad conflation with other East-Asia–linked clusters. Where public attribution exists, it should be read as a working assessment subject to change as investigations progress.
• Behavioral overlap with previous Ivanti exploits and other appliance-targeting campaigns has been observed, but the initial access vector is not consistent across all investigations. In several high-dwell incidents, historical log retention and altered forensic artifacts mean the true initial access method remains unverified. Organizations should therefore assume multiple possible access vectors rather than a single, canonical exploit.

---

Recommended incident response posture​

• Treat appliance and management-plane compromises as Tier-0 events: they can yield enterprise-wide control and must be elevated accordingly.
• When BRICKSTORM indicators are found, assume compromise of privileged credentials, perform immediate credential rotation (Kerberos/AD service accounts, vCenter admin accounts, SSH keys), and conduct a forensic review of backups and offline VM stores.
• Engage vendor incident response and, if applicable, national cybersecurity authorities where data exfiltration concerns or cross-border espionage linkages may have policy and legal implications.
• Use the Mandiant scanner as an early discovery tool, then escalate to a full forensic acquisition of any host that returns a hit; do not rely solely on the scanner to declare a system clean.

---

Final analysis and risk outlook​

BRICKSTORM is a textbook example of a modern, patient cyber-espionage program that focuses first on access (appliances and management consoles) and only later on fast, noisy exfiltration. Its operators demonstrate technical competence in obfuscation, in-memory manipulation, and operational security — including per-victim tooling and ephemeral C2 — which together render static signatures and IOC lists insufficient for robust defense.
From a defender’s perspective, the campaign shines a harsh light on a set of systemic weaknesses: insufficient appliance telemetry, under-protected virtualization management layers, and the assumption that external-facing appliances are low-risk once patched. Remedying these will require a programmatic shift: treat appliances and management consoles as critical assets, instrument them for visibility, and adopt TTP-driven threat hunting as a first-class part of security operations.
Finally, because BRICKSTORM’s objectives align with long-term intelligence collection and potential zero-day harvesting, its discovery should prompt both short-term containment work and long-term strategic reviews of vendor risk, third-party access, and the adequacy of detection capabilities at the network and management-plane level.

---

Despite active tool releases and published hunting guidance, defenders face a resource-intensive fight: appliances are numerous, vendors vary in telemetry capabilities, and the adversary’s techniques are adaptive. Organizations that prioritize appliance visibility, enforce strict segregation and monitoring of management planes, and adopt TTP-based hunting will materially reduce the window of opportunity for BRICKSTORM-style campaigns. The events described here are a strong reminder that visibility — across endpoints, appliances, and hypervisor management — is the single most important control in defending against advanced, patient intrusions.

---

Source: Cyber Press New BRICKSTORM Campaign Uses Stealth Backdoor Against Tech and Law