BRICKSTORM

BRICKSTORM is a Go-based backdoor developed and deployed by the China-nexus actor UNC5221 against VMware vCenter and ESXi hypervisors, and Linux and BSD appliances. Mandiant's M-Trends 2026 report disclosed that across observed intrusions the median dwell time is 393 days, with targets concentrated in US and UK legal services, Business Process Outsourcers (BPOs), SaaS providers and technology companies.

BRICKSTORM communicates exclusively through legitimate Cloud platforms, Cloudflare Workers and Heroku, so network-level monitoring sees normal Cloud-provider traffic rather than attacker infrastructure. A companion component called BRICKSTEAL acts as a servlet filter to intercept HTTP Basic Authentication on VMware vCenter, capturing credentials without any endpoint agent needing to be present. Domain-controller virtual machines are cloned for offline credential extraction, giving UNC5221 persistent access to the identity plane without generating authentication-log anomalies. Access to Microsoft Entra Identity Enterprise App scopes (`mail.read`, `full_access_as_app`) provides mail access without requiring any endpoint malware on staff devices.

The 393-day median dwell makes BRICKSTORM effectively invisible within typical SOC operational cycles, which are designed around malware-signature and endpoint-telemetry detection. Forensic discovery usually occurs during unrelated Incident Response or external threat intelligence leads rather than proactive detection. The campaign's primary value appears to be sustained intelligence collection from legal and professional services firms with privileged access to client M&A, IP and regulatory communications.