Chinese-aligned threat group **UNC5221** deployed the **BRICKSTORM backdoor** on **VMware vCenter and ESXi hosts**, targeting US legal, tech, and SaaS firms since at least **March 2025**. The attack exploited **zero-day vulnerabilities** in network appliances to gain initial access, followed by **privilege escalation** (MFA bypass, credential harvesting, VM cloning) and **lateral movement** via stolen credentials. The primary objective was **email exfiltration** from high-value targets, including key executives, with evidence of **file theft from compromised mailboxes**. The backdoor established persistence through **systemd/rc.local modifications**, ensuring survival across reboots, while communicating with a **hardcoded C2 server** via WebSockets. The **393-day average dwell time** allowed deep infiltration, with attackers leveraging **Microsoft Entra ID Enterprise Applications** to access sensitive emails. Though no **ransomware** or **direct financial fraud** was reported, the breach compromised **intellectual property, strategic communications, and potentially client-confidential data**, posing long-term risks to **corporate espionage, supply-chain attacks, and zero-day development** by state-backed actors. VMware’s role as a **critical infrastructure provider** amplifies the impact, as compromised vCenter servers could enable **downstream attacks** on customer environments. The sophistication of the campaign—including **in-memory servlet injections** and **automated secret-stealer tools**—suggests a **nation-state-level operation** with implications beyond immediate data theft.
Source: https://www.infosecurity-magazine.com/news/chinese-hackers-brickstorm/
TPRM report: https://www.rankiteo.com/company/vmware
"id": "vmw1132111092525",
"linkid": "vmware",
"type": "Cyber Attack",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['Legal',
'Technology',
'Software-as-a-Service (SaaS)',
'Outsourcing'],
'location': 'United States (primary target)',
'type': ['Legal Firms',
'Tech Firms',
'SaaS Providers',
'Outsourcing Companies']},
{'location': 'Europe',
'type': 'European Organizations'}],
'attack_vector': ['Exploitation of Zero-Day Vulnerabilities',
'Backdoor (BRICKSTORM)',
'Credential Harvesting',
'MFA Bypass',
'VM Cloning'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High (targeted key individuals within '
'organizations)',
'type_of_data_compromised': ['Emails',
'Email Attachments/Files']},
'date_detected': '2024-04-01',
'date_publicly_disclosed': '2025-09-24',
'description': 'Chinese-aligned threat actors (UNC5221) deployed the '
'BRICKSTORM backdoor in intrusion campaigns targeting US legal '
'and tech firms, SaaS providers, and outsourcing companies '
'since at least March 2025. The attacks exploited zero-day '
'vulnerabilities in network appliances (e.g., VMware vCenter, '
'ESXi hosts) to establish persistence, escalate privileges '
'(via MFA bypass, credential harvesting, and VM cloning), and '
'exfiltrate emails of key individuals. The backdoor '
'communicates via WebSockets to a hardcoded C2 server and '
'supports file manipulation, command execution, and SOCKS '
'relaying. Dwell time averaged 393 days, often exceeding log '
'retention periods.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'espionage and data exfiltration',
'data_compromised': ['Emails of Key Individuals',
'Files from Email Mailboxes'],
'operational_impact': ['Persistence via init.d/rc.local/systemd',
'Lateral Movement via Credential Reuse',
'Privilege Escalation via Servlet Filter '
'Injection'],
'systems_affected': ['VMware vCenter Servers',
'ESXi Hosts',
'Network Appliances',
'Microsoft Entra ID Enterprise Applications']},
'initial_access_broker': {'backdoors_established': ['BRICKSTORM (Go-based '
'backdoor)'],
'entry_point': ['Zero-Day Exploits in Network '
'Appliances'],
'high_value_targets': ['Emails of Key Individuals',
'Delinea Secret Server',
'Microsoft Entra ID '
'Enterprise Applications']},
'investigation_status': 'Ongoing (as of September 2025)',
'lessons_learned': ['Threat actors leveraged zero-day vulnerabilities in '
'network appliances lacking EDR support (e.g., VMware '
'vCenter).',
'Dwell time (avg. 393 days) often exceeded log retention, '
'complicating forensics.',
"BRICKSTORM's self-monitoring (Watcher function) and "
'WebSocket C2 evaded traditional detection.',
'Lateral movement relied on credential reuse from vaults '
'(e.g., Delinea Secret Server) and automated secret '
'stealer tools.',
'Microsoft Entra ID scopes (mail.read, '
'full_access_as_app) were exploited for email access.'],
'motivation': ['Espionage',
'Development of Zero-Day Exploits',
'Pivoting to Downstream Victims',
'Data Exfiltration (Emails of Key Individuals)'],
'post_incident_analysis': {'corrective_actions': ['Deploy Mandiant’s scanner '
'script for BRICKSTORM '
'detection.',
'Audit and restrict Entra '
'ID application '
'permissions.',
'Enhance monitoring for '
'WebSocket-based C2 traffic '
'(e.g., '
'wss://opra1.oprawh.workers[.]dev).',
'Implement network '
'segmentation to isolate '
'VMware environments.',
'Extend log retention '
'policies to at least 1 '
'year (to cover 393-day '
'dwell time).'],
'root_causes': ['Exploitation of unpatched '
'zero-day vulnerabilities in '
'network appliances.',
'Lack of EDR support on targeted '
'systems (e.g., VMware vCenter).',
'Insufficient log retention (dwell '
'time exceeded retention periods).',
'Overprivileged Microsoft Entra ID '
'applications (mail.read, '
'full_access_as_app).',
'Credential harvesting via HTTP '
'basic auth and MFA bypass '
'techniques.']},
'recommendations': ['Monitor network appliances (e.g., VMware) for '
'unauthorized processes like BRICKSTORM (vami-httpd).',
'Implement YARA rules or Mandiant’s scanner script for '
'*nix-based systems.',
'Enforce MFA and audit high-privilege accounts (e.g., '
'Entra ID Enterprise Applications).',
'Extend log retention periods to exceed average dwell '
'times (393+ days).',
'Segment networks to limit lateral movement via '
'credential reuse.',
'Patch zero-day vulnerabilities in VMware and other '
'appliances promptly.'],
'references': [{'date_accessed': '2025-09-24',
'source': 'Google Threat Intelligence Group (GITG)'},
{'source': 'Google Mandiant BRICKSTORM Scanner Script'},
{'date_accessed': '2025-04-01',
'source': 'NVISO Report on BRICKSTORM Windows Variants'},
{'date_accessed': '2024-04-01',
'source': 'Google Report on BRICKSTORM (April 2024)'}],
'response': {'containment_measures': ['Scanner Script for *nix-based '
'Appliances (Mandiant)',
'YARA Rule '
'(G_APT_Backdoor_BRICKSTORM_3)'],
'incident_response_plan_activated': True,
'third_party_assistance': ['Google Threat Intelligence Group '
'(GITG)',
'Mandiant',
'NVISO (for Windows variants)']},
'threat_actor': ['UNC5221',
'Silk Typhoon (disputed as same group by some vendors)'],
'title': 'BRICKSTORM Backdoor Campaign Targeting US Legal, Tech, and SaaS '
'Firms',
'type': ['Espionage', 'Data Theft', 'Persistence', 'Lateral Movement'],
'vulnerability_exploited': ['Zero-Day in Network Appliances (e.g., VMware '
'vCenter, ESXi)',
'Microsoft Entra ID Enterprise Applications '
'(mail.read, full_access_as_app scopes)']}