OrganisationCN

UNC5221

Chinese state-aligned APT targeting Western legal services and BPOs via 393-day BRICKSTORM backdoor on VMware infrastructure.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How does UNC5221 stay hidden inside companies for 393 days without triggering an alert?

Timeline for UNC5221

#117 Apr

Deployed BRICKSTORM backdoor on vCenter and ESXi hosts averaging 393 days undetected dwell across legal, BPO, SaaS and tech targets

Cybersecurity: Threats and Defences: BRICKSTORM dwell hits 393 days, Mandiant

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is UNC5221 and why are law firms at risk?: UNC5221 is a China-linked hacking group that deploys the BRICKSTORM backdoor on VMware infrastructure. Mandiant's 2026 report found it operates inside victim networks for an average of 393 days without detection, targeting US and UK legal services for economic espionage.Source: Mandiant M-Trends 2026
How does UNC5221 avoid detection for over a year?: UNC5221 operates at the VMware hypervisor layer using legitimate administrative commands, routes all command-and-control through Cloudflare Workers and Heroku so network monitors see normal Cloud traffic, and clones domain-controller VMs offline for credential extraction.Source: Mandiant M-Trends 2026
What is the BRICKSTORM backdoor?: BRICKSTORM is a Go-based backdoor deployed by UNC5221 on VMware vCenter and ESXi hosts. It communicates via Cloudflare Workers and Heroku, captures vCenter HTTP authentication via a companion filter called BRICKSTEAL, and enables offline domain-controller cloning.Source: Mandiant M-Trends 2026

Background

UNC5221 is a China-nexus threat actor tracked by Mandiant, attributed with deploying the BRICKSTORM backdoor against VMware vCenter and ESXi hypervisors and Linux and BSD appliances since at least 2024. Mandiant's M-Trends 2026 report, based on over 500,000 hours of Incident Response, disclosed an average dwell time of 393 days for UNC5221 BRICKSTORM intrusions, with confirmed targets in US and UK legal services, Business Process Outsourcers (BPOs), Software-as-a-Service providers and technology companies.

UNC5221 was first identified in 2023 exploiting Ivanti Connect Secure (ICS) VPN zero-days (CVE-2023-46805 and CVE-2024-21887). The group's defining characteristic is patience: it uses legitimate administrative tooling and Living-Off-the-Land (LotL) techniques that generate no malware detections while operating inside virtualisation infrastructure at the hypervisor layer. BRICKSTORM communicates exclusively through Cloudflare Workers and Heroku, meaning network-level blocks see benign Cloud-provider traffic rather than attacker infrastructure.

The 393-day median dwell figure makes UNC5221 intrusions effectively undetectable within any standard SOC operational cycle. The group's commercial-sector targeting, particularly legal services with privileged client communications and BPOs with broad data access across multiple client estates, suggests intelligence collection for economic espionage rather than disruptive positioning. The China-nexus assessment distinguishes UNC5221 from Volt Typhoon (critical infrastructure pre-positioning) and Salt Typhoon (telecoms SIGINT collection), though all three are assessed as state-aligned.

How the World Sees Them

China

China denies sponsoring offensive cyber operations. No official comment has been made on the UNC5221 attribution.

United States

CISA has issued joint advisories on Chinese cyber actors targeting critical infrastructure. UNC5221's legal and BPO sector focus is assessed as economic-espionage collection.

United Kingdom

UK legal services are a named primary target in the M-Trends 2026 report. NCSC has flagged the legal sector as a high-value target for state-nexus economic espionage.

Affected sectors

Legal firms handling M&A, IP litigation and government advisory work are highest risk. BPOs with broad data access across client estates represent secondary collection priority.