Heroku
Salesforce cloud platform whose legitimate traffic was abused by UNC5221 as a BRICKSTORM command-and-control relay alongside Cloudflare Workers.
Last refreshed: 17 April 2026 · Appears in 1 active topic
Why does BRICKSTORM use Heroku and Cloudflare at the same time for its network traffic?
Timeline for Heroku
BRICKSTORM dwell hits 393 days, Mandiant
Cybersecurity: Threats and Defences- What is BRICKSTORM malware and why is it so hard to detect?
- BRICKSTORM is a Go-based backdoor deployed by UNC5221 on VMware vCenter and ESXi hosts. It hides its command-and-control traffic behind Cloudflare Workers and Heroku, making it indistinguishable from legitimate SaaS traffic. Mandiant's M-Trends 2026 report documented a 393-day average dwell time.Source: Mandiant M-Trends 2026
Background
Heroku, the Salesforce-owned Cloud application platform, was abused by UNC5221 as a command-and-control relay for the BRICKSTORM backdoor alongside Cloudflare Workers, per Mandiant's M-Trends 2026 report. Like Cloudflare Workers, Heroku's legitimate traffic profile makes it an effective C2 relay: traffic originates from Salesforce's infrastructure, is TLS-encrypted, and appears on network monitoring as routine SaaS application traffic.
Heroku was acquired by Salesforce in 2010. It provides a platform-as-a-service for deploying web applications and APIs, widely used by developers for application hosting. Its inclusion in the BRICKSTORM C2 relay configuration alongside Cloudflare Workers shows that UNC5221 runs multiple trusted-infrastructure relays in parallel, increasing resilience against partial takedowns.
For security operations teams, the dual use of Heroku and Cloudflare Workers in the same campaign's C2 infrastructure is a signature indicator. Blocking either individually is impractical; the defence is endpoint-level BRICKSTORM process detection and Entra ID audit-log review for anomalous Enterprise App permission grants.