BRICKSTORM Backdoor Threat Expands Into Legal, Tech Sectors

The Google Threat Intelligence Group (GTIG) and Mandiant Consulting are tracking a wave of persistent intrusions attributed to UNC5221, a China-linked cluster that deploys the BRICKSTORM backdoor against organizations across multiple industries, including the US legal sector.

A Google Cloud blog explains that these operations aim to maintain covert access and exfiltrate sensitive information, potentially in support of espionage and exploit development efforts.

Since March 2025, Mandiant has observed BRICKSTORM being leveraged against legal service providers, SaaS vendors, and technology firms. The malware’s operators exploit zero-day vulnerabilities in edge and virtualization appliances that lack traditional endpoint monitoring.

Once inside, BRICKSTORM establishes long-term persistence, averaging more than a year of undetected presence, by embedding itself in poorly monitored systems such as VMware vCenter and ESXi hosts.

The backdoor enables lateral movement, credential theft, and the cloning of virtual machines to extract sensitive data without triggering security tools. GTIG distinguishes UNC5221 from the actor known publicly as Silk Typhoon, but notes overlap in tactics and sophistication.

For legal organizations and industries they advise, Mandiant’s findings expose a critical blind spot: the lack of visibility into appliance-layer devices.

Traditional indicators of compromise are ineffective against BRICKSTORM due to its custom codebase, lack of infrastructure reuse, and anti-forensic design.

Security recommendations include adopting a behavior-based (TTP) hunting model, expanding asset inventories to include unmanaged appliances, and enforcing multi-factor authentication and least-privileged access principles for virtual infrastructure.

The campaign’s sustained targeting of the legal sector suggests adversaries view these firms as strategic data hubs for high-value geopolitical and commercial intelligence. Vigilant monitoring of appliance traffic and centralization of forensic logging are now essential components of cybersecurity defense in the legal sector.