BRICKSTORM
BRICKSTORM is a backdoor/remote access trojan used in China-nexus espionage activity, most prominently linked to UNC5221 and also observed in intrusions attributed to the suspected PRC-nexus cluster UNC6201. Reporting describes it as a primary persistence implant on edge and appliance systems that often lack EDR coverage, including VMware hypervisor environments, Dell RecoverPoint for Virtual Machines appliances, Egnyte Storage Sync appliances, pfSense firewalls, and other Linux/BSD-based systems; Windows targeting has also been reported. It has been used against government and IT sector organizations, as well as legal services, software-as-a-service providers, business process outsourcers, technology firms, and U.S. law firms, with campaigns involving theft of legal, trade, national security, and intellectual property information.
Observed BRICKSTORM capabilities include interactive shell command execution, file and directory operations, and SOCKS4/5 and HTTP proxying. Operators used its proxying capability to route traffic through victim infrastructure, including SSL VPN access, and to access Microsoft 365 environments while blending with trusted internal traffic and evading Conditional Access policies. Command-and-control communications have been reported over WebSockets, TLS, and in some cases DNS-over-HTTPS for lookups; Base64 encoding of C2 communications has also been noted. Early variants were described as Golang-based, while later variants were reported as written in Rust. A FreeBSD/BSD-compatible variant was identified on pfSense firewalls.
The malware has been associated with long-term covert access, with reporting citing dwell times of more than a year and an average of 393 days in some investigations. Persistence mechanisms observed alongside BRICKSTORM deployments include modified cron files, changes to /etc/rc or /etc/rc.d/cron on pfSense, and deployment to paths such as /usr/sbin/ on compromised appliances. In Dell RecoverPoint investigations, active BRICKSTORM command-and-control traffic was observed in compromises involving CVE-2026-22769, and Mandiant reported that attackers also used BRICKSTORM as custom in-memory malware on network appliances. Publicly reported BRICKSTORM-associated infrastructure includes the domains systemsvcs.com, natsupport.net, performanceviewtools.com, winfoacacorp.com, and msazure.azdatastore.workers.dev, and reported IP indicators include 192.236.147.131, 192.236.147.138, 193.141.60.212, 192.236.154.158, 192.236.146.173, 174.169.162.62, and 64.94.84.97.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT.
BRICKSTORM, first documented last year in connection with the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) against the MITRE Corporation...
BRICKSTORM, first documented last year in connection with the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) against the MITRE Corporation...
Groups observed using it
11 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT.
Another high-profile campaign involves the BRICKSTORM backdoor, linked to China-nexus actor UNC5221 and observed by Google/Mandiant, which targets VMware hypervisor and Windows environments across government and IT sector organizations.
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM... the adversary had compromised an unnamed victim's Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM.
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM... the adversary had compromised an unnamed victim's Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM.
Mandiant (part of Google Cloud) just published a comprehensive defender’s guide on securing VMware vSphere environments against the BRICKSTORM backdoor and associated malware activity.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
The threat actor used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment.
The attacker’s workstation, sitting somewhere outside the victim’s network, connected to the organization’s web-based SSL VPN.
Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769... UNC6201... has exploited this flaw since at least mid-2024
Execution
2 techniques
Execution
Persistence
7 techniques
Persistence
UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local.
The same malware was found on the MSP’s pfSense firewall in a FreeBSD-compatible variant, obfuscated with a tool called gobfuscate and set to run automatically through a modified cron startup file.
The threat actor used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment.
The attacker’s workstation, sitting somewhere outside the victim’s network, connected to the organization’s web-based SSL VPN.
Volexity found that VerdantBamboo had set up persistence for the BRICKSTORM implant by modifying the file /etc/rc.d/cron to include a single line to execute the implant.
Privilege Escalation
7 techniques
Privilege Escalation
UNC6201 established BRICKSTORM and GRIMBOLT persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named convert_hosts.sh to include the path to the backdoor. This shell script is executed by the appliance at boot time via rc.local.
The same malware was found on the MSP’s pfSense firewall in a FreeBSD-compatible variant, obfuscated with a tool called gobfuscate and set to run automatically through a modified cron startup file.
the adversary had compromised an unnamed victim's Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM
The threat actor used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment.
Volexity found that VerdantBamboo had set up persistence for the BRICKSTORM implant by modifying the file /etc/rc.d/cron to include a single line to execute the implant.
Stealth
4 techniques
Stealth
The same malware was found on the MSP’s pfSense firewall in a FreeBSD-compatible variant, obfuscated with a tool called gobfuscate
After this operation was successful, the threat actor removed the file from /etc/cron.d, meaning there was no long-term persistence method for this implant.
The threat actor used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment.
Mandiant also released a tool for decoding Garble strings[2]... After retrieving all the matches and removing possible substrings I can emulate the code... This won’t get every single string as some are passed as offsets to the data residing in rodata section for longer pieces.
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Command and Control
9 techniques
Command and Control
Instead of connecting to Egnyte’s own infrastructure, it was quietly beaconing out to a domain controlled by the attackers, hiding behind Cloudflare IP addresses and using Google’s public DNS server at 8.8.8.8 to resolve queries over HTTPS, a technique that neatly disguised the malicious traffic. | The device was an Egnyte Storage Sync appliance... quietly beaconing out to a domain controlled by the attackers, hiding behind Cloudflare IP addresses and using Google’s public DNS server at 8.8.8.8 to resolve queries over HTTPS.
Communicates with its C2 infrastructure over WebSockets, with some variants using DNS-over-HTTPS (DoH) to obscure C2 lookups from standard DNS monitoring
some variants using DNS-over-HTTPS (DoH) to obscure C2 lookups from standard DNS monitoring
The threat actor used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment.
They contain three core task extensions: ... socks A Socks5 proxy server implementation
deploy additional malware to a Synology Network Attached Storage (NAS) appliance
GRIMBOLT... provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload.
IOCs tracked for this family
42 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
124 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A stealthy backdoor targeting VMware hypervisor and Windows environments, enabling lateral movement, network tunnelling, and automatic reinstallation for long-term persistence in protected networks.
Tags: BRICKSTORM ... PLENET ... VerdantBamboo ...
A backdoor used against Linux/BSD-like systems and proprietary appliances. It provides proxying capabilities and newer variants support interactive shell, remote command execution, file manipulation, and command-and-control server switching.
Backdoor used in a China-linked cyber-espionage campaign attributed to UNC5221 to maintain long-term access and facilitate theft of sensitive information.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.