Google Says Suspected Chinese Hackers Deployed Brickstorm Malware in Stealth Espionage Campaigns

According to Google, suspected China-nexus hackers have been quietly stealing data from U.S. legal and technology firms for more than a year, leveraging a stealthy backdoor known as Brickstorm. The malware, first documented by Google’s threat intelligence team in April, has reemerged in a campaign attributed to UNC5221, a group previously linked to Ivanti zero-day exploits.

A Long-Term Persistence Threat

Brickstorm is written in Go and functions as a Swiss Army knife for cyber espionage. It acts as a web server, file manipulation tool, SOCKS relay, and credential thief. According to researchers, victims endured an average dwell time of 393 days before the malware was detected.

Google confirmed compromises in law firms, SaaS providers, business process outsourcers, and technology companies. By targeting these entities, attackers could pivot downstream to their customers, harvest sensitive data, and potentially develop zero-day exploits.

Pete Luban, Field CISO at AttackIQ, said, “A recent discovery has revealed that a Chinese cyber espionage has been using the Brickstorm malware against US tech and legal organizations for over a year undetected. The attackers used Brickstorm to steal victims’ information from their networks for an average of 393 days before being noticed.”

Exploiting Enterprise Blind Spots

Brickstorm thrives on appliances and systems that fall outside traditional endpoint detection. VMware vCenter and ESXi servers have been among the most affected, where the malware disguises command-and-control traffic as Cloudflare or Heroku communications.

Jeremy Turner, VP of Threat Intelligence and Research at Security Scorecard, explained, “The malware was deployed on edge appliances like VMware vCenter and ESXi, systems that typically fall outside traditional EDR coverage. Attackers used valid credentials and anti-forensics to stay hidden for over a year, with an average dwell time of 393 days.”

Attackers expanded their access by deploying credential-stealing tools, cloning domain controllers, and tunneling into code repositories. Emails were exfiltrated through Microsoft Entra ID Enterprise Apps, while anti-forensics techniques erased traces of the intrusion once operations ended.

A Repeat Offender

This is not Brickstorm’s first appearance. Earlier this year, the malware was linked to intrusions across European networks, some dating back to at least 2022. Both operations have been attributed to UNC5221, which analysts describe as strategically aligned with Chinese state interests.

Joshua Roback, Principal Security Solution Architect at Swimlane, said, “This is the second surfacing of the Brickstorm malware this year, with reports of it infiltrating networks of European organizations coming out in April. In that case, the malware was able to remain persistent for several years, dating back to at least 2022. Both of these campaigns were backed by the same group, UNC5221, which is a China-based nexus threat group that picks targets that have strategic interest to the PRC.”

Defensive Measures

Mandiant has released a free scanner script to help organizations detect Brickstorm-related activity, though the company warns it is not foolproof. Security experts emphasize that enterprises need to prioritize monitoring their edge devices, which often go unprotected yet hold the keys to critical systems.

Luban added, “With malware like Brickstorm, it’s important that an organization’s defenses are familiar with its attack mechanisms so that vulnerabilities can be patched and its presence can be detected before too much damage has been done.”

Roback noted that automation can help defenders stay ahead: “AI-powered security platforms can help automate this process, continuously locating gaps and notifying of flaws so that security teams can focus their efforts on strengthening defenses.”

Turner echoed the urgency, stating, “This campaign shows how attackers are continually shifting focus to the blind spots in enterprise infrastructure. Edge appliances often go unmonitored, yet they hold privileged access and critical data.”

The Bigger Picture

The Brickstorm campaign illustrates how attackers are evolving to exploit overlooked corners of enterprise infrastructure. As organizations increasingly rely on SaaS, outsourcing, and virtualization, the attack surface has expanded into areas many security teams have yet to lock down. The message from experts is clear: every access point matters, and ignoring the gray zones of enterprise security creates the perfect cover for long-term espionage.