393 Days Undetected: China-Linked UNC5221 Uses BRICKSTORM Backdoor to Exploit Ivanti Zero-Days

by ddos · September 26, 2025

According to Google Threat Intelligence, the China-linked espionage group UNC5221 has since March conducted a series of successful intrusions into corporate networks, exploiting previously unknown vulnerabilities in Ivanti products. These operations resulted in the deployment of backdoors that enabled attackers to maintain covert access to victim infrastructures for an average of 393 days without detection.

Analysts attributed the activity to UNC5221 and other closely related Chinese cyber-espionage outfits. According to the report, UNC5221 had already begun exploiting Ivanti device vulnerabilities as early as 2023. Google stresses, however, that the group is not affiliated with Silk Typhoon (formerly Hafnium), the entity suspected of breaching the U.S. Treasury in December.

In Google’s taxonomy, UNC denotes “Uncategorized” — referring to groups not formally classified as either financially motivated (FIN) or state-directed APT clusters, though UNC5221’s operations strongly suggest state sponsorship.

Since spring 2025, Mandiant experts have been responding to incidents tied to UNC5221 across diverse industries, from law firms to SaaS providers and business outsourcing firms. In most cases, attackers deployed a bespoke backdoor named BRICKSTORM, specifically designed for devices that lack traditional detection mechanisms such as EDR, enabling long-term stealth.

To aid detection, Google released a free scanner — compatible with Linux and BSD systems and not requiring YARA — that searches for unique signatures associated with BRICKSTORM. Mandiant cautions that the number of infections could prove substantial once organizations begin broad scanning, with the campaign’s impact likely unfolding over the next one to two years.

In at least one confirmed case, attackers exploited a zero-day in Ivanti Connect Secure. While Google does not identify the exact flaw, prior research linked UNC5221 to exploitation of CVE-2023-46805 and CVE-2024-21887, both only disclosed publicly in January 2024.

Once inside, adversaries deployed BRICKSTORM — a Go-based malware with SOCKS proxy capabilities. Although a Windows variant has been referenced, Mandiant has only observed the malware directly on Linux and BSD devices, including network appliances from multiple vendors.

UNC5221 frequently targets VMware vCenter servers and ESXi hosts, often beginning with compromised edge devices and then pivoting deeper using stolen credentials. In one case, BRICKSTORM was deployed to vCenter after the incident investigation had already begun, demonstrating the adversary’s real-time adaptability and monitoring of defenders’ actions. The malware also evolved through obfuscation via Garble, custom wssoft libraries, and even delayed activation timers.

Additionally, attackers deployed a second implant, BRICKSTEAL, a malicious Java Servlet filter for Apache Tomcat within vCenter’s web interface. It intercepted HTTP Basic Auth headers, capturing usernames and passwords, including domain credentials when Active Directory was in use. Normally such a filter requires configuration changes and a server restart, but the attackers leveraged a custom dropper to inject the code directly into memory without reboot — further enhancing stealth.

Beyond infrastructure, UNC5221 sought access to the mailboxes of key personnel — developers, system administrators, and specialists of strategic interest to Chinese economic or intelligence objectives. For this, they abused Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app permissions, granting them unrestricted access to organizational email.

Data exfiltration was conducted via BRICKSTORM’s built-in proxying: attackers created tunnels and interacted directly with victim web applications. In several incidents, adversaries even manually deleted malware samples, with traces of BRICKSTORM only uncovered during forensic analysis of backups.

Mandiant emphasizes that the group avoids reusing C2 domains or even duplicating malware builds, rendering traditional IoC-based detection largely ineffective. Instead, defenders are urged to adopt a behavioral, TTP-driven approach, with Mandiant providing a detailed nine-step methodology for threat hunting.

Organizations are advised to update inventories of all devices, especially edge appliances, and review network logs for red flags such as: