
UNC5221
Chinese state-aligned APT targeting Western legal services and BPOs via 393-day BRICKSTORM backdoor on VMware infrastructure.
Last refreshed: 17 April 2026 · Appears in 1 active topic
How does UNC5221 stay hidden inside companies for 393 days without triggering an alert?
Timeline for UNC5221
Mentioned in: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed
Cybersecurity: Threats and DefencesDeployed BRICKSTORM backdoor on vCenter and ESXi hosts averaging 393 days undetected dwell across legal, BPO, SaaS and tech targets
Cybersecurity: Threats and Defences: BRICKSTORM dwell hits 393 days, MandiantWhat is UNC5221 and why are law firms at risk?
How does UNC5221 avoid detection for over a year?
What is the BRICKSTORM backdoor?
Background
UNC5221 is a China-nexus threat actor tracked by Mandiant, attributed with deploying the BRICKSTORM backdoor against VMware vCenter and ESXi hypervisors and Linux and BSD appliances since at least 2024. Mandiant's M-Trends 2026 report, based on over 500,000 hours of Incident Response, disclosed an average dwell time of 393 days for UNC5221 BRICKSTORM intrusions, with confirmed targets in US and UK legal services, Business Process Outsourcers (BPOs), Software-as-a-Service providers and technology companies.
UNC5221 was first identified in 2023 exploiting Ivanti Connect Secure (ICS) VPN zero-days (CVE-2023-46805 and CVE-2024-21887). The group's defining characteristic is patience: it uses legitimate administrative tooling and Living-Off-the-Land (LotL) techniques that generate no malware detections while operating inside virtualisation infrastructure at the hypervisor layer. BRICKSTORM communicates exclusively through Cloudflare Workers and Heroku, meaning network-level blocks see benign cloud-provider traffic rather than attacker infrastructure.
The 393-day median dwell figure makes UNC5221 intrusions effectively undetectable within any standard SOC operational cycle. The group's commercial-sector targeting, particularly legal services with privileged client communications and BPOs with broad data access across multiple client estates, suggests intelligence collection for economic espionage rather than disruptive positioning. The China-nexus assessment distinguishes UNC5221 from Volt Typhoon (critical infrastructure pre-positioning) and Salt Typhoon (telecoms SIGINT collection), though all three are assessed as state-aligned.