Chinese Hackers Deploy BRICKSTORM Backdoor on US Firms

Let me introduce Dominic Jainy, a seasoned IT professional with deep expertise in cybersecurity, artificial intelligence, machine learning, and blockchain. With a career dedicated to dissecting complex cyber threats and exploring cutting-edge technologies, Dominic has become a trusted voice in understanding how advanced persistent threat (APT) groups operate. Today, we’re diving into a pressing issue: the use of the ‘BRICKSTORM’ backdoor by Chinese hackers targeting US firms. Our conversation will explore the mechanics of this sophisticated threat, the actors behind it, their methods of infiltration, and the broader implications for organizations across various sectors.

Can you give us an overview of what the ‘BRICKSTORM’ backdoor is and why it poses such a significant threat to US companies?

Sure, ‘BRICKSTORM’ is a malicious piece of software, essentially a backdoor, that allows attackers to sneak into and maintain access to a compromised system. It’s written in the Go programming language and primarily targets VMware vCenter servers, which are critical for managing virtual environments in many organizations. What makes it a big deal for US companies is its ability to stay hidden while giving hackers a foothold to spy, steal data, or even pivot to other systems. It’s not just a one-and-done attack; it’s a gateway for long-term intrusion, often going undetected for months, which can lead to devastating breaches of sensitive information.

How do these attackers initially get into systems to deploy ‘BRICKSTORM’, and what makes their entry so hard to detect?

The attackers often start by exploiting zero-day vulnerabilities—flaws in software that even the vendor doesn’t know about yet. These are particularly dangerous because there’s no patch available at the time of the attack. They target network appliances or systems that don’t typically have robust endpoint detection tools, making their entry harder to spot. By focusing on these less-protected entry points, they can quietly establish a presence before moving deeper into the network, often using stolen credentials to blend in with legitimate traffic.

Which industries or types of organizations in the US seem to be the primary targets for these ‘BRICKSTORM’ campaigns?

From what we’ve seen, the primary targets are US legal and tech firms, as well as software-as-a-service providers and outsourcing companies. These sectors are likely chosen because they hold valuable intellectual property, sensitive client data, or serve as gateways to other organizations. For instance, breaching a SaaS provider could give attackers access to a whole network of downstream clients, amplifying the impact of a single intrusion.

What can you tell us about the group behind these attacks and their suspected motivations?

The group linked to these ‘BRICKSTORM’ campaigns is known as UNC5221, a Chinese-aligned threat cluster. They’re known for their sophisticated tactics, including exploiting zero-day vulnerabilities and targeting critical infrastructure like network appliances. Their motivations seem to go beyond traditional espionage. While stealing data, especially emails from key individuals, is a big part of their operation, there’s also evidence they’re gathering information to develop new hacking tools or zero-days. Essentially, they’re not just after secrets—they’re building an arsenal for future attacks.

Can you explain how ‘BRICKSTORM’ helps these hackers maintain access to a system over long periods?

Absolutely. Once ‘BRICKSTORM’ is deployed, it’s designed for persistence. It modifies system files—think init.d or systemd configurations—to ensure it restarts even if the device reboots. It also has self-monitoring features, like a function called Watcher, which keeps an eye on its own processes and reinstates itself if something goes wrong. This makes it incredibly tough to remove without a deep forensic investigation. Plus, it communicates with its command-and-control server using WebSockets, a method that can look like normal web traffic, further hiding its tracks.

What challenges do researchers face when investigating threats like ‘BRICKSTORM’, especially given the long dwell time?

One of the biggest hurdles is the dwell time—on average, 393 days. That’s over a year that attackers are inside a system before detection. By the time investigators catch on, critical logs or evidence of the initial breach are often gone because they exceed typical retention periods. On top of that, the attackers move fast to deploy their full attack chain, leaving little time to catch them in the act. This combination of speed and long-term stealth makes it a nightmare to piece together how they got in and what they’ve done.

How do these hackers use ‘BRICKSTORM’ to move around inside a network once they’ve gained access?

After getting in, they use a variety of tricks to move laterally. They often harvest credentials from compromised systems, sometimes bypassing multi-factor authentication or cloning virtual machines of critical servers to gain deeper access. They reuse these stolen credentials to hop from one system to another, often targeting tools like Delinea Secret Server to grab even more sensitive data. Their goal is to blend in with normal activity, making it hard for security tools to flag anything unusual as they spread through the network.

What do you think is the broader impact of these kinds of attacks on how companies approach cybersecurity?

These attacks are a wake-up call. They show that traditional security tools, like endpoint detection and response, aren’t enough when attackers target less-protected systems like network appliances. Companies need to rethink their defenses—focusing on visibility across all devices, not just workstations, and investing in better log retention and monitoring to catch long-term intrusions. It’s also pushing the need for faster patch management and a deeper understanding of zero-day risks. Ultimately, it’s about building resilience, assuming a breach will happen, and minimizing the damage.

Looking ahead, what is your forecast for the evolution of threats like ‘BRICKSTORM’ in the coming years?

I expect these threats to become even more sophisticated. As defenders get better at detecting known tactics, attackers will lean harder into zero-days and custom malware tailored to specific targets. We’ll likely see more focus on hybrid environments—blending cloud and on-premises systems—as companies continue to migrate to the cloud. Attackers will also probably refine their stealth techniques, using AI or machine learning to mimic legitimate behavior even more convincingly. It’s going to be a constant cat-and-mouse game, and organizations will need to stay proactive, not just reactive, to keep up.

Explore more

How Does AWS Outage Reveal Global Cloud Reliance Risks?

The recent Amazon Web Services (AWS) outage in the US-East-1 region sent shockwaves through the digital landscape, disrupting thousands of websites and applications across the globe for several hours and exposing the fragility of an interconnected world overly reliant on a handful of cloud providers. With billions of dollars in potential losses at stake, the event has ignited a pressing

Qualcomm Acquires Arduino to Boost AI and IoT Innovation

In a tech landscape where innovation is often driven by the smallest players, consider the impact of a community of over 33 million developers tinkering with programmable circuit boards to create everything from simple gadgets to complex robotics. This is the world of Arduino, an Italian open-source hardware and software company, which has now caught the eye of Qualcomm, a

AI Data Pollution Threatens Corporate Analytics Dashboards

Market Snapshot: The Growing Threat to Business Intelligence In the fast-paced corporate landscape of 2025, analytics dashboards stand as indispensable tools for decision-makers, yet a staggering challenge looms large with AI-driven data pollution threatening their reliability. Reports circulating among industry insiders suggest that over 60% of enterprises have encountered degraded data quality in their systems, a statistic that underscores the

How Does Ghost Tapping Threaten Your Digital Wallet?

In an era where contactless payments have become a cornerstone of daily transactions, a sinister scam known as ghost tapping is emerging as a significant threat to financial security, exploiting the very technology—near-field communication (NFC)—that makes tap-to-pay systems so convenient. This fraudulent practice turns a seamless experience into a potential nightmare for unsuspecting users. Criminals wielding portable wireless readers can

Bajaj Life Unveils Revamped App for Seamless Insurance Management

In a fast-paced world where every second counts, managing life insurance often feels like a daunting task buried under endless paperwork and confusing processes. Imagine a busy professional missing a premium payment due to a forgotten deadline, or a young parent struggling to track multiple policies across scattered documents. These are real challenges faced by millions in India, where the