Chinese State-Sponsored Hackers Exploit BRICKSTORM Backdoor to Infiltrate U.S. Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently unveiled details about a sophisticated backdoor named BRICKSTORM, utilized by state-sponsored threat actors from the People’s Republic of China (PRC) to establish long-term access within compromised U.S. systems.
BRICKSTORM is a custom implant written in the Go programming language, designed to provide attackers with interactive shell access on targeted systems. This access enables them to perform a range of malicious activities, including browsing, uploading, downloading, creating, deleting, and manipulating files. The malware is particularly adept at maintaining stealthy access, offering capabilities for initiation, persistence, and secure command-and-control operations.
The malware’s versatility is evident in its support for multiple communication protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS). These protocols facilitate command-and-control (C2) communications, while the use of DNS-over-HTTPS (DoH) helps conceal these communications by blending them with regular network traffic. Additionally, BRICKSTORM can function as a SOCKS proxy, enabling lateral movement within compromised networks.
CISA’s report highlights that BRICKSTORM has been predominantly deployed in attacks targeting government entities and the information technology (IT) sector. The agency, however, did not disclose the specific number of government agencies affected or the nature of the data that may have been exfiltrated. This activity underscores a tactical evolution among Chinese hacking groups, who have increasingly focused on exploiting edge network devices to breach networks and cloud infrastructures.
In response to these allegations, a spokesperson for the Chinese embassy in Washington stated that the Chinese government does not encourage, support or connive at cyber attacks.
BRICKSTORM was first documented by Google Mandiant in 2024, following its use in attacks exploiting zero-day vulnerabilities in Ivanti Connect Secure devices, specifically CVE-2023-46805 and CVE-2024-21887. The malware has been attributed to two threat actor clusters: UNC5221 and a new China-nexus adversary identified by CrowdStrike as Warp Panda.
In September 2025, Mandiant and Google’s Threat Intelligence Group (GTIG) observed that legal services, software-as-a-service (SaaS) providers, business process outsourcers (BPOs), and technology sectors in the U.S. were being targeted by UNC5221 and related threat activity clusters to deploy BRICKSTORM.
A notable feature of BRICKSTORM is its self-monitoring function, which allows it to automatically reinstall or restart itself, ensuring continued operation even if disrupted.
In an incident detected in April 2024, threat actors accessed a web server within an organization’s demilitarized zone (DMZ) using a web shell. They then moved laterally to an internal VMware vCenter server, where they implanted BRICKSTORM. The initial access vector and the timing of the web shell deployment remain unknown.
During the intrusion, attackers obtained service account credentials and moved laterally to a domain controller in the DMZ using Remote Desktop Protocol (RDP) to capture Active Directory information. They also acquired credentials for a managed service provider (MSP) account, which facilitated further movement from the internal domain controller to the VMware vCenter server.
Additionally, the attackers moved laterally from the web server using Server Message Block (SMB) to access two jump servers and an Active Directory Federation Services (ADFS) server, from which they exfiltrated cryptographic keys. Access to the vCenter server ultimately enabled the adversaries to establish persistent access and potentially exfiltrate sensitive data.
This revelation underscores the persistent and evolving threat posed by state-sponsored cyber actors targeting critical infrastructure and sensitive information within the United States. Organizations are urged to implement robust cybersecurity measures, conduct regular system audits, and stay informed about emerging threats to safeguard their networks against such sophisticated attacks.
