BRICKSTORM
BRICKSTORM is a Golang-based remote access trojan/backdoor used for long-term, stealthy persistence, particularly on edge devices, network appliances, and VMware virtualization infrastructure including vCenter Server Appliance and ESXi. Public reporting links BRICKSTORM to suspected China-nexus espionage activity, including UNC5221 and UNC6201, and related clusters such as VerdantBamboo/WARP PANDA. Mandiant and Google Threat Intelligence Group reported BRICKSTORM activity from at least March 2025 and described intrusions with average dwell times of 393 days. Reported victim sectors and targeting include legal services, software-as-a-service providers, business process outsourcers, technology firms, Government Services and Facilities, and Information Technology; reporting also notes targeting of the US legal sector for national security and trade-related intelligence and technology companies for intellectual property theft and future exploit-development objectives. BRICKSTORM has been deployed on systems that often lack EDR coverage, including Linux- and BSD-based appliances, pfSense firewalls, Egnyte Storage Sync appliances, Dell RecoverPoint for VMs appliances, F5 environments, and VMware vCenter/ESXi systems. In one Volexity case, actors used valid credentials to access an Egnyte appliance, abused a sudo misconfiguration to gain root, wrote BRICKSTORM into /usr/sbin/, and launched it via a temporary cron job; a FreeBSD-compatible BRICKSTORM variant named "blacklist" was also found on a pfSense firewall at /usr/local/libexec/ipsec/ with persistence via modified /etc/rc.d/cron. Reporting states BRICKSTORM communicates with command-and-control infrastructure over TLS, uses Base64 to encode C2 communications, and in some reporting uses HTTPS, WebSockets with nested TLS, and DNS-over-HTTPS to conceal traffic. Additional reported capabilities include self-monitoring that can restart or reinstall the malware if disrupted. Associated operations have involved credential theft from compromised appliances, use of compromised vCenter consoles to create hidden rogue virtual machines, and theft of cloned VM snapshots for credential extraction. Mandiant released a Bash-based IOC scanner for Linux and BSD systems to detect one known BRICKSTORM ELF signature, and public examples of matched paths include /usr/bin/vami-lighttp and /tmp/pg_update.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT.
BRICKSTORM, first documented last year in connection with the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) against the MITRE Corporation...
BRICKSTORM, first documented last year in connection with the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) against the MITRE Corporation...
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The suspicious connections observed were the result of a malware implant known as BRICKSTORM... BRICKSTORM , a Golang-based remote access trojan (RAT).
The suspicious connections observed were the result of a malware implant known as BRICKSTORM... BRICKSTORM , a Golang-based remote access trojan (RAT).
The suspicious connections observed were the result of a malware implant known as BRICKSTORM... BRICKSTORM , a Golang-based remote access trojan (RAT).
Mandiant investigated "numerous" incidents in 2025 in which a suspected Chinese government spy crew tracked as UNC6201 broke into edge devices that didn't support endpoint security products, deployed a backdoor called Brickstorm to maintain long-term access, and captured valid credentials from its position on the appliance.
Mandiant (part of Google Cloud) just published a comprehensive defender’s guide on securing VMware vSphere environments against the BRICKSTORM backdoor and associated malware activity.
CISA is aware of ongoing intrusions by People’s Republic of China (PRC) state-sponsored cyber actors using BRICKSTORM malware for long-term persistence on victim systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments.
The US Cybersecurity and Infrastructure Security Agency (CISA) warned of "ongoing intrusions" from Chinese nation-state actors deploying the Brickstorm backdoor in organizations' VMware vSphere environments.
"...with a focus on exploiting edge devices that don't have EDR coverage (a la BRICKSTORM)."
Among the tools seen in the wild are the Brickstorm backdoor and a newer implant called Grimbolt... A cluster tracked as UNC6201 has used the flaw to deploy multiple payloads, including Slaystyle, Brickstorm, and Grimbolt, during long-running intrusions...
State-sponsored attackers spent years implanting Brickstorm malware into networks before the campaign was finally detected last summer. By September, however, the attackers had replaced Brickstorm with Grimbolt...
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesdeployed a backdoor called Brickstorm to maintain long-term access, and captured valid credentials from its position on the appliance. The snoops then used these credentials to access victims' VMware environments.
Attackers on this end of the spectrum – typically espionage groups and North Korean scam IT workers – do this by targeting network edge devices like firewalls, routers, and VPNs, generally by exploiting zero-day bugs.
Exploiting vulnerabilities topped the charts for a sixth year, accounting for 32 percent of successful attacks.
Execution
3 techniquesAccording to the system logs, VerdantBamboo created a file in /etc/cron.d/ named ssync that would execute /home/egnyteservice/ssync.sh.
Researchers observed instances where the attackers actively monitored ongoing incident response efforts and deployed new Brickstorm samples to reestablish access in real-time, according to the report.
The command string is parsed out of the server response... There are three supported command types... builtin Executes command text on the native shell.
Persistence
6 techniquesAccording to the system logs, VerdantBamboo created a file in /etc/cron.d/ named ssync that would execute /home/egnyteservice/ssync.sh.
deployed a backdoor called Brickstorm to maintain long-term access, and captured valid credentials from its position on the appliance. The snoops then used these credentials to access victims' VMware environments.
Attackers on this end of the spectrum – typically espionage groups and North Korean scam IT workers – do this by targeting network edge devices like firewalls, routers, and VPNs, generally by exploiting zero-day bugs.
Mandiant said the threat actor demonstrates a deep understanding of appliance-level blind spots, using modified startup scripts, web shells and in-memory payloads to evade detection and maintain persistence.
Volexity found that VerdantBamboo had set up persistence for the BRICKSTORM implant by modifying the file /etc/rc.d/cron to include a single line to execute the implant.
Privilege Escalation
6 techniquesAccording to the system logs, VerdantBamboo created a file in /etc/cron.d/ named ssync that would execute /home/egnyteservice/ssync.sh.
Volexity uncovered evidence that VerdantBamboo had discovered the settings for the account’s sudo configuration, which included an inadvertent local privilege escalation.
deployed a backdoor called Brickstorm to maintain long-term access, and captured valid credentials from its position on the appliance. The snoops then used these credentials to access victims' VMware environments.
Volexity found that VerdantBamboo had set up persistence for the BRICKSTORM implant by modifying the file /etc/rc.d/cron to include a single line to execute the implant.
BRICKSTORM features a self-monitoring function that automatically reinstalls or restarts the malware if it is disrupted.
This configuration allows the egnyteservice account to run the tee command as root via sudo, allowing the threat actor to arbitrarily write files to anywhere on the file system.
Stealth
8 techniquesThis sample was obfuscated via an open-source Golang tool called Garble[4] which was mentioned by Mandiant[1].
Mandiant said it identified several variants of the malware using obfuscation, delayed beaconing in at least one case and masquerading techniques to evade detection... Brickstorm malware is often tailored to appear as legitimate appliance processes... including file names and functionality specifically designed to blend into a host environment.
Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
After this operation was successful, the threat actor removed the file from /etc/cron.d, meaning there was no long-term persistence method for this implant.
deployed a backdoor called Brickstorm to maintain long-term access, and captured valid credentials from its position on the appliance. The snoops then used these credentials to access victims' VMware environments.
Mandiant also released a tool for decoding Garble strings[2]... After retrieving all the matches and removing possible substrings I can emulate the code... This won’t get every single string as some are passed as offsets to the data residing in rodata section for longer pieces.
Actors are using compromised vCenter management consoles to create hidden, rogue VMs and steal cloned VM snapshots for credential extraction.
Mandiant said the threat actor demonstrates a deep understanding of appliance-level blind spots, using modified startup scripts, web shells and in-memory payloads to evade detection and maintain persistence.
Credential Access
1 techniqueActors are using compromised vCenter management consoles to create hidden, rogue VMs and steal cloned VM snapshots for credential extraction.
Discovery
1 techniqueLateral Movement
1 techniqueVolexity’s investigation determined that VerdantBamboo was able to access the Storage Sync system using valid credentials via secure shell (SSH) with an unprivileged account named egnyteservice.
Command and Control
8 techniquesPLENET demonstrates similar design patterns to BRICKSTORM. Like BRICKSTORM, PLENET C2 traffic uses the WebSocket protocol
These BRICKSTORM instances use the websocket protocol handler for connecting to the C2.
The initial findings determined that the threat actor used the malware’s proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim’s Microsoft 365 (M365) environment.
They contain three core task extensions: ... socks A Socks5 proxy server implementation
The threat actor then connected over SSH to deploy a previously undocumented backdoor, which Volexity tracks under the name PLENET.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
It appeared to be using Google to perform queries via DNS over HTTPS, as there was no DNS activity for the domain observed in the connections.
The appliance was also making TLS connections to one of Google’s public DNS servers (8.8.8.8). It appeared to be using Google to perform queries via DNS over HTTPS
Exfiltration
2 techniquesMany entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.
As part of this intrusion campaign, the threat actors are stealing proprietary source code and other intellectual property related to enterprise technologies that many other companies use.
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
116 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor malware sample used in the paper to evaluate memory forensics techniques for Go binaries; the framework recovered artifacts such as C2 endpoints, persistence mechanisms, and execution state from memory.
Malware used by state-sponsored groups for persistence on ESXi rather than for ransomware-style encryption.
A backdoor used by PRC-Nexus threat actors to target VMware vSphere environments, specifically vCenter Server Appliance (VCSA) and ESXi hypervisors, in order to establish long-term persistence below the guest operating system layer.
BRICKSTORM is referenced as a malware family associated with the suspected China-nexus espionage group UNC5221 in the context of the F5 compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.