UNC5221

UNC5221 is a suspected China-nexus, Chinese state-sponsored espionage threat actor also tracked as UTA0178, VerdantBamboo, and WARP PANDA. The content notes that UNC5221 has sometimes been used synonymously with Silk Typhoon, but Google Threat Intelligence Group does not currently consider related clusters such as UNC6201 and UNC5221 to be the same, and the content also states UNC5221 is often reported as the same as Silk Typhoon while some researchers do not believe they are the same. The actor is associated with long-running espionage intrusions targeting U.S. law firms, technology organizations, government and IT sector organizations, Microsoft 365 environments, and defense and aerospace-related entities. Reported objectives in the content include theft of sensitive legal, trade, national security, and source code information, as well as broader geopolitical espionage, access operations, and intellectual property theft. UNC5221 is repeatedly described as favoring edge-device and appliance exploitation for initial access, including firewalls, VPN gateways, storage appliances, NAS systems, VMware infrastructure, and other systems that often lack EDR visibility. The content states the group exploited Ivanti products, including Ivanti Connect Secure, and exploited CVE-2025-22457 in the wild. The content also states advanced threat actors including UNC5221 exploited CVE-2025-4427 and CVE-2025-4428, and that UNC5221 exploited two separate zero-day vulnerabilities in the same VPN product over a three-month period. In one December 2023 Ivanti zero-day incident, the domain symantke[.]com was found to be used by UNC5221. The content also links UNC5221 to use of the MOONSHINE exploit kit and to the SPAWN toolset targeting Ivanti VPN appliances. Malware and tooling directly linked to UNC5221 in the content include BRICKSTORM, PLENET, AGENTPSD, PhiliKit, LIGHTWIRE, THINSPOOL, WARPWIRE, WIREFIRE, ZIPLINE, TRAILBLAZE, BRUSHFIRE, and components of the SPAWN malware ecosystem. BRICKSTORM is described as a stealthy backdoor used across VMware hypervisor, Windows, Linux, BSD, Egnyte, and pfSense environments, with capabilities including SOCKS4/5 and HTTP proxying, file and directory operations, and interactive shell execution, and using WebSockets for command and control. Early BRICKSTORM variants were written in Go and newer variants in Rust. PLENET is described as a .NET backdoor compiled with Native Ahead-of-Time compilation that uses WebSockets and supports interactive shell, file operations, and C2 switching. AGENTPSD is described as a Python-based reverse shell used as a fallback implant. PhiliKit is described as a passive backdoor for executing shell, Python, and Perl scripts and is assessed to be part of UNC5221's SPAWN toolset. Mandiant also linked UNC5221 to custom malware families including LIGHTWIRE, THINSPOOL, WARPWIRE, WIREFIRE, and ZIPLINE. The content describes UNC5221 maintaining long dwell times and persistent access, including access lasting over a year and, in other reporting, at least 18 months. Tradecraft described in the content includes use of valid credentials, in-memory malware to reduce disk artifacts, command-and-control tunneling through legitimate third-party services, proxying traffic through compromised edge devices to make Microsoft 365 logins appear to originate from trusted internal infrastructure, modifying appliance startup files for persistence, re-entering environments after remediation using previously harvested credentials, and targeting infrastructure and appliances that are often excluded from traditional security monitoring.