Security researchers say a China-linked threat group has conducted a long-running espionage operation against U.S. technology and service firms. Mandiant tracks the operation as BRICKSTORM (UNC5221), which targets Linux and BSD systems and has maintained access for an average of 393 days, focusing on the legal services, technology, SaaS providers and business process outsourcers (BPOs) sectors since at least March 2025. According to Mandiant’s analysis published on the Google Cloud Threat Intelligence blog, the group uses a custom BRICKSTORM malware written in Go and relies on zero-day vulnerabilities to gain initial access to network devices.
Initial access typically begins with compromise of network appliances, followed by credential theft and lateral movement via SSH to VMware vCenter and ESXi hosts, enabling attackers to reach high-value systems within victim networks, the report says.
BRICKSTORM operations include SOCKS proxy functionality, allowing attackers to tunnel traffic and move through networks with reduced detection. Once inside, researchers said the group hides activity by abusing the organisation’s own network devices and continues to develop the malware with advanced obfuscation, including use of tools described as Garble and a custom internal library.
The attackers’ long-term objective appears to be access to software-as-a-service providers and, ultimately, the networks of those providers’ customers. A notable motive identified by Mandiant is access to emails of critical personnel such as system administrators and developers, potentially enabling economic and espionage operations for the People’s Republic of China. The attackers are observed using elevated access scopes in Microsoft Entra ID Enterprise Applications (for example mail.read or full_access_as_app) to infiltrate mail accounts.
Ensar Seker, CISO at SOCRadar, described BRICKSTORM as a wake-up call, saying the campaign creates a multiplier effect by giving attackers access through service providers into their clients and partners. He urged organisations to assume that any vendor could be compromised and to adopt zero-trust architectures around vendor connections. Seker’s X profile contains his insights on the operation.
For organisations seeking to assess their exposure, Mandiant has released a free BRICKSTORM scanner on GitHub, designed to check Linux-based systems for the BRICKSTORM backdoor.