Chinese APT Drops ‘Brickstorm’ Backdoors on Edge Devices
Summary
A China-linked espionage group tracked as UNC5221 has been deploying a Go-based backdoor called “Brickstorm” on network and infrastructure appliances that lack standard EDR support. Targets include firewalls, VPNs, IDS/IPS, and virtualisation management systems (notably VMware vCenter and ESXi). Google’s Threat Intelligence Group (GTIG) reports long dwell times (average 393 days), per-victim C2 domains, SOCKS proxy functionality, delayed-start implants, and code obfuscation techniques that make detection and blocking difficult.
Key Points
- UNC5221 is using a cross-platform Go backdoor named Brickstorm to maintain long-term access to edge appliances and management systems.
- Brickstorm offers SOCKS proxying, web-based command execution and per-victim C2 domains hosted via cloud services or dynamic domains.
- The campaign leverages known CVEs and zero-days to compromise Linux/BSD-based perimeter and remote-access devices.
- Victim dwell time averages 393 days; attackers often harvest high-privilege credentials and pivot into downstream customers (SaaS/BPO impact).
- Defensive blind spots exist because many edge appliances cannot run standard EDRs; attackers exploit this by hiding implants as legitimate software and using delayed-start logic and obfuscation (Garble).
- Organisations should treat appliances and virtualisation management as critical assets: maintain inventory, limit internet exposure, centralise logging and monitor admin activity.
Content Summary
Google’s GTIG and other vendors (e.g., Picus Security) have observed a systematic espionage campaign where Brickstorm is installed on network edge devices and occasionally used to pivot to VMware infrastructure. The malware is continually developed — newer builds include a delay timer to activate implants months after installation and use of obfuscation to hide functionality. Each victim receives unique C2 infrastructure, complicating standard blocking and takedown efforts.
The threat actor’s tradecraft is deliberately low-noise: harvest valid admin credentials, remove installer traces, use in-memory filters on vCenter to intercept authentication data, clone VMs to extract credentials offline, and run SOCKS proxies on compromised appliances to mask origin and tunnel deeper into internal networks.
Context and Relevance
This campaign underlines a broader shift: adversaries are targeting systems that sit outside traditional endpoint monitoring — edge devices, virtualisation management planes and supplier/SaaS ecosystems. Because these appliances often act as gateways to many customers, a single compromise can yield downstream access, multiplying impact across organisations and supply chains.
For security teams this means expanding the protection boundary: include network appliances and virtualisation management in risk assessments, ensure timely patching (including vendor devices), centralise logs, and monitor for unusual admin behaviours and proxying activity.
Why should I read this?
Short version: if you run or rely on SaaS, BPOs or edge kit, this is a proper wake-up call. Brickstorm quietly turns devices you can’t EDR into tunnels and hideouts — and the bad guys are patient. Read it so you can stop panicking later.
Author
Punchy take: this matters. Long dwell, targeted at infrastructure that often lives outside normal monitoring, and the ability to reach downstream customers makes Brickstorm a high-risk campaign. If you care about resilience, dig into the details and act.