Chinese hackers use BrickStorm malware to dwell in networks for over a year, researchers say

New Delhi — Researchers from Google’s Threat Intelligence Group and Mandiant have identified a prolonged Chinese cyberespionage campaign in which hackers reportedly remained inside compromised networks for an average of 393 days.

The attackers, linked to a group tracked as UNC5221, used a stealthy backdoor malware known as BrickStorm to collect sensitive information, according to a joint analysis released on Thursday.

The campaign, monitored by Mandiant since March 2025, targeted industries including legal services, software-as-a-service, technology and business process outsourcing.

Advertisement

‹

EVENT

Saksham Bharat 2026

A multi-stakeholder dialogue on skilling gap in Cybersecurity, Data Resilience and AI — and the roadmap to a Saksham Bharat.

📅 Tue, 26 May 2026

📍 Mumbai, Bengaluru, Delhi

Register Now →

EVENT

VeeamON 2026 Tour India - Mumbai

A VeeamON 2026 India Leadership Series Mumbai for senior public sector and government technology leaders.

📅 Tue, 26 May 2026

📍 Grand Hyatt, BKC

Register Now →

EVENT

Cyber Surakshit Uttar Pradesh

Find out strategies, frameworks and solutions for building a resilient and secure digital ecosystem across Uttar Pradesh.

📅 Thu, 28 May 2026

📍 Lucknow

Register Now →

EVENT

VeeamON 2026 Tour India - Bengaluru

A VeeamON 2026 India Leadership Series Bengaluru for senior public sector and government technology leaders.

📅 Wed, 03 Jun 2026

📍 JW Marriott Hotel

Register Now →

EVENT

VeeamON 2026 Tour India - Delhi

A VeeamON 2026 India Leadership Series Delhi for senior public sector and government technology leaders.

📅 Fri, 19 Jun 2026

📍 Shangri-La Eros

Register Now →

EVENT

Infosec Reimagined

Infosec Reimagined 2026 is the premier information security summit where top leaders—CISOs, CROs, CIOs, CTOs and risk executives—converge to redefine cyber resilience.

📅 Fri, 26 Jun 2026

📍 New Delhi

Register Now →

EVENT

Digital Senate

Digital Senate is a premier conference uniting government leaders, technologists and innovators to share ideas, success stories and strategies on digital governance, public sector transformation, cybersecurity and emerging technologies in India.

📅 Thu, 30 Jul 2026

📍 New Delhi

Register Now →

EVENT

CIO Prism

CIO Prism unites forward-thinking technology leaders to exchange transformative insights, shape digital strategies, and foster innovation, empowering enterprises to excel in an era of rapid technological change.

📅 Fri, 18 Sep 2026

📍 Goa

Register Now →

›

Investigators said the prolonged dwell time made it difficult to determine how the attackers initially accessed networks, though in at least one case the compromise may have involved a zero-day vulnerability in an Ivanti product.

BrickStorm has been deployed on various network appliances, including Linux- and BSD-based devices, many of which do not support conventional endpoint detection tools.

Mandiant noted that UNC5221 frequently targeted VMware vCenter and ESXi servers, often moving laterally from the initially infected appliances using valid credentials likely harvested by the malware.

“The actor moved laterally to a vCenter server in the environment using valid credentials, which were likely captured by the malware running on the network appliances,” Mandiant said in its report.

The researchers said the campaign went beyond traditional espionage, with hackers exploiting access to downstream customers of compromised SaaS providers.

According to Charles Carmakal, CTO at Mandiant Consulting, Google Cloud, the attackers were using stolen proprietary source code and intellectual property to identify flaws and zero-day vulnerabilities in enterprise technology products.

“As part of this intrusion campaign, the threat actors are stealing proprietary source code and other intellectual property related to enterprise technologies that many other companies use,” Carmakal said.

“We believe the threat actors are analysing the stolen source code to find flaws and zero-day vulnerabilities to exploit in enterprise technology products.”

The researchers emphasised that the group’s activity could have wider implications for organisations relying on the affected enterprise technologies. By discovering and weaponising zero-day vulnerabilities, the attackers could potentially target additional downstream companies.

Mandiant and Google’s Threat Intelligence Group said they continue to track the activity and monitor affected sectors, noting that a Windows variant of the BrickStorm malware has been reported but not observed in their investigations.