UNC5221

UNC5221 is a suspected China-nexus espionage actor, also referenced as UTA0178. Reporting in the provided content consistently links the cluster to exploitation of edge and infrastructure technologies, especially Ivanti Connect Secure and Policy Secure appliances, VMware and vCenter infrastructure, and other appliances that often lack traditional EDR coverage. Multiple sources describe UNC5221 as focused on long-term, low-visibility access, with one report noting average dwell times of 393 days in BRICKSTORM-linked intrusions and another describing at least 18 months of access to a victim’s VMware vCenter servers during source-code theft operations. The actor is described as leveraging zero-day and n-day exploitation, including repeated exploitation of Ivanti vulnerabilities. The content states UNC5221 exploited two separate zero-day vulnerabilities in the same VPN product over a three-month period, used CVE-2025-22457 for remote code execution from at least mid-March 2025, and has been characterized as notorious for exploiting Ivanti zero-days against government agencies. Mandiant assessed UNC5221 likely identified CVE-2025-22457 by analyzing a February patch. The content also associates the cluster with broader edge-device targeting and sophisticated operational tradecraft, including in-memory malware to reduce disk artifacts and tunneling command-and-control traffic through legitimate third-party services. Malware and tooling directly linked to UNC5221 in the content include the SPAWN malware ecosystem and related tooling such as SPAWNANT, PhiliKit, and passive backdoors; LIGHTWIRE, THINSPOOL, WARPWIRE, WIREFIRE, and ZIPLINE; BRICKSTORM; BRUSHFIRE; TRAILBLAZE; and tooling overlaps involving KrustyLoader. PhiliKit is described as a passive backdoor capable of executing shell commands, Python scripts, and Perl scripts, and ESET assessed it to be part of UNC5221’s SPAWN toolset targeting Ivanti VPN appliances. ZIPLINE is described as a passive backdoor. BRUSHFIRE is described as a passive backdoor, and TRAILBLAZE as an in-memory dropper. BRICKSTORM is repeatedly associated with UNC5221 and closely related China-nexus clusters and is described as a stealthy backdoor deployed on network appliances and VMware infrastructure. Targets mentioned in the content include government agencies, legal organizations, technology companies, and infrastructure/appliance environments. The content states UNC5221-linked activity targeted Ivanti VPN appliances, government agencies, U.S. legal sector organizations for information related to national security and international trade, and technology companies, likely to support future operations including exploit development. Additional reporting links UNC5221 or UNC5221-related activity to attacks involving VMware infrastructure, MITRE, and source-code theft. One report also notes a low-confidence link between UNC5221 and the August 2025 compromise of F5 internal engineering and development infrastructure. The content notes that UNC5221 is often conflated with Silk Typhoon and has at times been used synonymously with that actor in public reporting, but Google Threat Intelligence Group does not currently assess them to be the same cluster. The content also notes overlaps between UNC5221 and UNC6201, but states they are not currently assessed as the same cluster. Known alias in the provided content: UTA0178.