Ethical Hacking News
Chinese Cyber Espionage Group Exploits Sophisticated BRICKSTORM Backdoor to Infiltrate U.S. Organizations
The BRICKSTORM backdoor has been used by a suspected China-nexus cyber espionage group to infiltrate organizations in the U.S. legal and technology sectors. The malware facilitates persistent access to victim organizations for over a year, allowing for long-term access to sensitive information and intellectual property. BRICKSTORM features a SOCKS proxy feature that allows attackers to create tunnels and directly access applications deemed of interest. The primary goal of the campaign is to access emails of key individuals within victim entities, including developers and system administrators.
The recent discovery of a backdoor known as BRICKSTORM has sent shockwaves through the cybersecurity community. According to a report by Google Threat Intelligence Group (GTIG), this malicious tool is being used by a suspected China-nexus cyber espionage group to infiltrate organizations in the U.S. legal and technology sectors.
The BRICKSTORM backdoor was first documented last year in connection with the zero-day exploitation of Ivanti Connect Secure edge devices. Since then, it has been used to target Windows environments in Europe, as well as Linux and BSD-based appliances on multiple manufacturers. The malware is designed to facilitate persistent access to victim organizations for over a year.
The threat actors behind BRICKSTORM are known to leverage valid credentials for lateral movement to pivot to the VMware infrastructure and establish persistence by modifying init.d, rc.local, or systemd files to ensure that the backdoor is automatically started on appliance reboot. They also use a malicious Java Servlet filter for the Apache Tomcat server dubbed BRICKSTEAL to capture vCenter credentials for privilege escalation.
In addition to its stealthy nature, the BRICKSTORM backdoor features a SOCKS proxy feature that allows it to create a tunnel and directly access applications deemed of interest by the attackers. This makes it a formidable tool in the hands of sophisticated cyber espionage groups.
The primary goal of the campaign is to access the emails of key individuals within the victim entities, including developers, system administrators, and individuals involved in matters that align with China's economic and espionage interests. The BRICKSTORM backdoor is designed to remain undetected for an extended period, generating minimal to no security telemetry.
The use of such a sophisticated tool by a suspected China-nexus cyber espionage group raises concerns about the potential for long-term access to sensitive information and intellectual property. It also highlights the importance of robust cybersecurity measures, including endpoint detection and response (EDR) tools, to prevent such intrusions.
GTIG has responded to several intrusions since March 2025, indicating that they are taking the threat seriously. However, more needs to be done to raise awareness about this sophisticated tool and its implications for organizations worldwide.
In conclusion, the BRICKSTORM backdoor is a sophisticated tool used by a suspected China-nexus cyber espionage group to infiltrate organizations in the U.S. legal and technology sectors. Its stealthy nature and capabilities make it a formidable tool in the hands of sophisticated cyber espionage groups. As such, it is essential that organizations take proactive measures to protect themselves against this threat.
Related Information:
https://www.ethicalhackingnews.com/articles/The-BRICKSTORM-Backdoor-A-Sophisticated-Tool-for-Chinese-Cyber-Espionage-ehn.shtml
https://thehackernews.com/2025/09/unc5221-uses-brickstorm-backdoor-to.html
https://www.cyberhappenings.com/happenings/2025/09/24/brickstorm-malware-used-in-long-term-espionage-against-us-organizations/
https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability
https://www.reuters.com/technology/cybersecurity/apt31-chinese-hacking-group-behind-global-cyberespionage-campaign-2024-03-26/
https://cybelangel.com/blog/cyber-espionage-apts/
Published: Wed Sep 24 11:32:14 2025 by llama3.2 3B Q4_K_M
