• Business

    Under the radar – Google warns new Brickstorm malware was stealing data from US firms for over a year

    AnyFans Posted on

    By Sead Fadilpašić

    Copyright techradar

    Under the radar - Google warns new Brickstorm malware was stealing data from US firms for over a year

    Skip to main content

    Tech Radar Pro

    Tech Radar Gaming

    Close main menu

    the business technology experts

    België (Nederlands)

    Deutschland

    North America

    US (English)

    Australasia

    New Zealand

    View Profile

    Search TechRadar

    Expert Insights

    Website builders

    Web hosting

    Best web hosting
    Best office chairs
    Best website builder
    Best antivirus
    Expert Insights

    Don’t miss these

    How much do you trust your cloud? Hackers exploit weakness to target customers – here’s what we know

    Google warns of Chinese state actor hack in real-time following alerts

    Scattered Spider hackers are targeting US critical infrastructure via VMware attacks

    US warns Chinese tech firms may have ties to notorious cyber espionage group which hit hundreds of firms

    Chinese hackers hit Taiwan semiconductor manufacturing in spear phishing campaign

    Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials

    FBI, CISA warn of more Scattered Spider attacks to come

    UK warns Russian Fancy Bear hackers are targeting Microsoft 365 accounts

    Microsoft says Russian hackers are planting fake antivirus software in embassy attacks

    Microsoft flags dangerous cybercriminals ransacking organizations – and then letting you know about it via Teams

    Google sues alleged hackers behind BadBox 2.0 botnet which has infected millions of devices

    Hackers are using fake NDAs to hit US manufacturers in major new phishing scam

    When the insider Is the adversary: North Korea’s remote work espionage campaign

    Enterprise security faces new challenge as attackers master art of digital impersonation

    Microsoft SharePoint server hack sees Chinese threat actor hit roughly 100 orgs – here’s what we know so far

    Under the radar – Google warns new Brickstorm malware was stealing data from US firms for over a year

    Sead Fadilpašić

    25 September 2025

    Chinese state-sponsored actors are at it again, Google warns

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

    (Image credit: Shutterstock)

    Google warns UNC5221 targeted US legal, tech, and SaaS firms with Brickstorm malware for over a year
    Campaign aimed at espionage, intellectual property theft, and long-term infrastructure access
    Mandiant urges TTP-based threat hunting and stronger authentication to counter future attacks

    US organizations across the legal, technology, SaaS, and business process outsourcing sectors were targeted by a new malware variant named Brickstorm for over a year, leading to major data loss, experts have warned.

    Google’s Threat Intelligence Group (GTIG) found the threat actors behind the campaign are UNC5221, a suspected China-nexus threat known for stealthy operations and long-term persistence.
    This group first targeted zero-day vulnerabilities in Linux devices and BSD-based appliances, since these are often overlooked in asset inventories and excluded from central logging. As such, they make for an ideal foothold for the attackers.

    You may like

    How much do you trust your cloud? Hackers exploit weakness to target customers – here’s what we know

    Google warns of Chinese state actor hack in real-time following alerts

    Scattered Spider hackers are targeting US critical infrastructure via VMware attacks

    Cyber-espionage
    Once inside, UNC5221 used Brickstorm to move laterally, harvest credentials, and exfiltrate data with minimal telemetry. In some cases, the malware remained undetected for more than a year, since the average dwell time was said to be a mighty 393 days.

    In many cases, they would pivot from fringe devices to VMware vCenter and ESXi hosts, using stolen credentials to deploy Brickstorm and escalate privileges.
    To maintain persistence, they modified startup scripts and deployed webshells that allowed for remote command execution. They cloned sensitive virtual machines without even powering them on, and thus avoiding triggering security tools.
    The campaign’s objectives appear to span geopolitical espionage, intellectual property theft, and access operations.

    Are you a pro? Subscribe to our newsletter
    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
    Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
    Since legal companies were targeted as well, the researchers suspected UNC5221 was interested in US national security, and trade topics, while targeting SaaS providers could have been used to pivot into downstream customer environments.
    To counter Brickstorm, Mandiant recommends a threat-hunting approach based on tactics, techniques, and procedures (TTPs) rather than atomic indicators, which have proven unreliable due to the actor’s operational discipline.
    The researchers urged businesses to update asset inventories, monitor appliance traffic, and enforce multi-factor authentication.
    You might also like

    Nvidia and a Huawei subsidiary shared a building – and now it’s being probed for Chinese espionage
    Take a look at our guide to the best authenticator app
    We’ve rounded up the best password managers

    Sead Fadilpašić

    Social Links Navigation

    Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

    You must confirm your public display name before commenting

    Please logout and then login again, you will then be prompted to enter your display name.

    How much do you trust your cloud? Hackers exploit weakness to target customers – here’s what we know

    Google warns of Chinese state actor hack in real-time following alerts

    Scattered Spider hackers are targeting US critical infrastructure via VMware attacks

    US warns Chinese tech firms may have ties to notorious cyber espionage group which hit hundreds of firms

    Chinese hackers hit Taiwan semiconductor manufacturing in spear phishing campaign

    Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials

    Latest in Security

    Jaguar Land Rover facing costs of “millions per week” following cyberattack – due to a lack of insurance cover

    Cisco warns zero-day vulnerability exploited in attacks on IOS software

    Experts warn Supermicro motherboards can be infected with “unremovable” new malware – here’s what we know

    Python developers targeted with new password-stealing phishing attacks – here’s how to stay safe

    Libraseva urges users to patch now as it issues emergency fix following attacks

    GitHub is finally tightening up security around npm following multiple attacks

    Latest in News

    Sony unleashes another limited edition DualSense with the God of War 20th Anniversary model – and pre-orders start soon

    The Last of Us star Troy Baker is headed for MCM London Comic Con for a special ‘Songs: for Joel’ live performance

    Sam Altman’s vision for AI is huge – but there’s just one thing standing in his way

    Microsoft Flight Simulator 2024 is flying onto PS5 in December, with PSVR 2 support coming in 2026

    PlayStation reveals Pulse Elevate speakers designed for PS5 and PC – and they have a pretty weird feature set

    Sony announces new release date for Spider-Man: Beyond the Spider-Verse – and it’s a move that’s baffled me

    LATEST ARTICLES

    Experts warn Supermicro motherboards can be infected with “unremovable” new malware – here’s what we know

    “The Michigan bill is a danger for the political discourse” – Proton slams verification laws turning VPNs into a liability

    First, AI flooded the internet with slop, now it’s destroying work, too – this is how you use AI and still be a stellar employee

    Sony unleashes another limited edition DualSense with the God of War 20th Anniversary model – and pre-orders start soon

    Apple Music just became a surprise language-learning helper with its latest free update

    TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

    Contact Future’s experts

    Terms and conditions

    Privacy policy

    Cookies policy

    Advertise with us

    Web notifications

    Accessibility Statement

    Future US, Inc. Full 7th Floor, 130 West 42nd Street,

    Please login or signup to comment

    Please wait…

    You Might Also Like