Brickstorm backdoor: How to detect and prevent cyber espionage attacks.

Brickstorm: What it is, how it infects devices and how to keep your systems safe

Brickstorm is the name security researchers have given to a recent, stealthy backdoor used in long-running espionage campaigns. The malware family is notable for its focus on network appliances and management infrastructure that often sit outside the scope of conventional defence tools. Operators use Brickstorm to maintain long-term access, move laterally inside enterprise environments and quietly exfiltrate sensitive data. The campaign has attracted attention because of the targets, persistence and the techniques used to avoid detection.

Say Hi, Trezor Safe 5

Crypto security & convenience in a gorgeous design. The EAL6+ Secure Element adds asset protection while the bright, vibrant color touchscreen & haptic feedback bring a new level to your crypto experience.

How Brickstorm operators find a foothold

Threat actors behind Brickstorm favour appliances and management servers that organisations frequently overlook. These include virtual machine management systems, VPN and remote-access appliances and other BSD or Linux-based devices that cannot run standard endpoint agents. Attackers identify unpatched or exposed services, exploit known and sometimes zero day vulnerabilities, and use stolen credentials to gain access.

In some public reports researchers link the activity to a China-associated cluster tracked as UNC5221, and they describe a campaign that has quietly compromised organisations in the legal, technology, SaaS and business process outsourcing sectors.

Common entry vectors reported in technical disclosures include exploiting appliance vulnerabilities and abusing weak asset inventories. When organisations do not centrally track appliances or include them in logging and patching processes, those devices become especially attractive for attackers looking for a stealthy foothold. Brickstorm operators have been observed exploiting specific vulnerabilities in widely used management products as a way into target networks.

Tricks and tradecraft: how Brickstorm avoids detection

Brickstorm is engineered for persistence and stealth. The malware uses a small number of carefully chosen capabilities rather than a noisy toolkit. Several techniques stand out.

First, Brickstorm is written in the Go programming language and includes cross-platform variants, which lets operators run components on Linux, Windows and BSD-based hosts. This flexibility helps attackers place backdoors inside devices that cannot be monitored by traditional endpoint protection solutions.

Second, the backdoor implements network tunnelling and proxy functions. Operators can create SOCKS proxy tunnels and forward traffic through compromised devices, enabling interactive access to internal systems without exposing direct command and control traffic. That tunnelling makes lateral movement and data retrieval much easier while reducing distinctive network signatures.

Third, Brickstorm resolves command and control infrastructure via DNS over HTTPS and similar covert channels. Using DoH obscures domain lookups inside what looks like legitimate HTTPS traffic, limiting the value of simple DNS monitoring. The backdoor also supports web-based command mechanisms that return execution output within HTTP responses, which blends into normal network noise.

Fourth, operators favour modifying startup scripts, deploying webshells and cloning virtual machines without powering them on to harvest data. Cloning VMs can allow attackers to access disk images containing sensitive files while avoiding activities that would trigger some defensive alerts. Those operational choices lengthen dwell time and complicate detection and response.

Finally, attackers often target suppliers and upstream services to reach multiple downstream victims. By compromising a SaaS provider or a managed service, operators can pivot into customer environments, multiplying the impact of a single intrusion. That supply chain approach makes attribution and containment more challenging.

What Brickstorm does after it infects a device

Once implanted, Brickstorm gives attackers a set of practical functions. These are not theatrical but effective.

The backdoor allows remote command execution on the compromised host. Operators can list and move files, create or delete directories, and retrieve documents of interest. Because Brickstorm can tunnel network connections and act as a proxy, attackers can mount interactive sessions deeper inside the network, using the compromised appliance as a staging post. That capability often enables credential theft, lateral movement to management consoles such as VMware vCenter and ESXi hosts, and eventual access to high-value virtual machines or data repositories.

Brickstorm’s stealthy communications make detection harder. By hiding control traffic in DoH and using HTTP responses to carry command output, the malware avoids many signature-based network defences. The result is long dwell times: public reporting indicates incidents where Brickstorm remained active in victim environments for months, sometimes longer than a year. During that time attackers can quietly copy files, harvest intellectual property, and map internal networks for future operations.

Beyond data theft, the presence of a persistent backdoor can enable future operations. Attackers may use the foothold to plant additional tooling, maintain access for follow-on espionage, or identify zero day vulnerabilities in vendor software that can be weaponised later. That strategic value makes Brickstorm especially worrying to organisations that handle sensitive legal and commercial data.

Trezor Safe 5

Ultimate convenience with a vibrant color touchscreen & confirmation haptic feedback. Experience crypto security on an entirely new level.

Enhanced usability with a 1.54” touchscreen
Secure Element, PIN, passphrase protected
Crypto management with the Trezor Suite app

Practical steps to reduce your risk

Defending against Brickstorm requires a combination of basic cyber hygiene and specific controls aimed at appliances and management infrastructure.

Make inventories comprehensive and continuous. Organisations must include appliances, virtual management servers, out-of-band devices and other infrastructure in their asset inventories. Devices that do not appear in central logging and patching systems are blind spots. Regular discovery scans and active reconciliation between asset lists and network observations reduce those blind spots.

Prioritise patching for management and appliance software. Many Brickstorm intrusions begin with exploited vulnerabilities in remote access or management products. Timely patching of known vulnerabilities, combined with compensating controls where patches cannot be applied immediately, significantly reduces exposure. When vendors publish emergency fixes, treat them as high priority for affected systems.

Segment networks and limit lateral movement. Appliances and management hosts should be placed in restricted network segments with tightly controlled access. Use access control lists, firewall rules and microsegmentation where possible so that a compromised appliance cannot freely reach vCenter, file servers or production virtual machines. Multi-factor authentication should be enforced for administrative interfaces.

Monitor for behavioural indicators rather than only signatures. Because Brickstorm hides in normal-looking traffic and can be tailored to avoid signature detection, behavioural detection and threat hunting are essential.

Look for unusual DNS over HTTPS patterns, unexpected VM cloning operations, anomalous startup script changes, and webshell activity. Hunt for sudden increases in service account usage or authentication anomalies originating from appliances. Several response vendors recommend detection rules and Sigma signatures that can be adapted to an organisation’s environment.

Harden logging and telemetry for appliances. Even if an appliance cannot run an endpoint agent, most devices can forward logs. Enable auditing, central log collection and monitoring so that activities such as file system changes, webshell access or suspicious command execution generate alerts. Correlate appliance logs with network flow and authentication records to build a fuller picture.

Assume compromise and plan incident response accordingly. Prepare playbooks that cover appliance compromise scenarios, including containment steps that avoid tipping off an attacker. Consider network isolation procedures, credential rotation for accounts accessible from affected devices, and forensic collection processes that preserve evidence while limiting further data loss. Retain access to specialist incident response assistance for complex investigations.

CodaKid 19 Best Educational Games for Kids

CodaKid — Online Coding for Kids

Private Online Coding Lessons The Fastest Way to Learn Coding Live instructor over Zoom Structured curriculum Homework Assignments Support between Sessions Ages 6-16

How to spot signs of an active Brickstorm infection

Some indicators are technical, others procedural. Monitor for newly created webshells on appliances and unexpected modifications to startup scripts. Watch for unusual DNS over HTTPS traffic to unknown domains or sudden proxying behaviour from devices that normally do not forward third party traffic. Be alert for cloned virtual machines being created in management consoles, especially if those clones are mounted or copied off host storage.

Finally, investigate any unexplained service account activity or lateral authentication attempts originating from appliance IP addresses. These signs warrant immediate triage and a consider escalation to incident response professionals.

What to do if you suspect Brickstorm activity

If you find evidence of compromise, begin with containment to limit further reach. Isolate affected appliances from management networks while preserving volatile evidence. Rotate credentials for privileged accounts, and review service account activity and token usage.

Deploy threat-hunting queries across logs for historical evidence of exfiltration and lateral actions. Because Brickstorm operators have been known to target downstream customers through supply chain pivots, consider notifying partners and affected clients so they can hunt for related indicators. Engage forensic and incident response specialists if you lack the in-house capability to determine scope and remediate fully.

Why use a VPN

SECURITY: Our secure VPN sends your internet traffic through an encrypted VPN tunnel, so your passwords and confidential data stay safe, even over public or untrusted Internet connections.

PRIVACY: Keep your browsing history private. As a Swiss VPN provider, we do not log user activity or share data with third parties. Our anonymous VPN service enables Internet without surveillance.

FREEDOM: We created ProtonVPN to protect the journalists and activists who use ProtonMail. ProtonVPN breaks down the barriers of Internet censorship, allowing you to access any website or content.

Get ProtonVPN Now

Conclusion

Brickstorm is not a flashy, high-impact worm. It is a practical, quietly effective backdoor designed to hide in places defenders frequently ignore. Its focus on appliances and management infrastructure, combined with covert network techniques and long-term persistence, makes it a potent tool for espionage. The most effective defences are not exotic.

Maintain thorough asset inventories, prioritise patching of appliance software, segment management systems, enforce strong authentication and implement behavioural detection and threat hunting. Organisations that treat appliances and management consoles as first-class security problems will be far less likely to host the next Brickstorm foothold.

Sources for technical detail and incident reporting include official analysis and advisories from Google Threat Intelligence Group and Mandiant, independent technical write-ups from NVISO and vendor detection guidance from specialist vendors and security publications. For specific IOCs, mitigation scripts and Sigma rules consult the referenced vendor advisories and your incident response partner.

_____________________