Chinese-Linked Hackers Exploit Stealthy Malware to Spy on U.S. Tech and Legal Firms
Chinese-linked hackers have been spying on U.S. tech and legal firms undetected for over a year. The group, known as UNC5221, used a stealthy malware called Brickstorm to steal high-privilege credentials and exfiltrate emails.
The cyber espionage group UNC5221, linked to China, has been conducting offensive cyberattacks since March 2025. They used the Brickstorm backdoor to target U.S. legal and technology companies. The malware, Brickstorm, is highly stealthy and can go undetected for over a year, obscuring the initial attack vector.
Brickstorm is a versatile malware that can act as a web server, manipulate the file system, upload/download files, execute shell commands, and perform SOCKS proxy relaying. It was deployed as a stealthy in-memory Java Servlet filter, BRICKSTEAL, to steal high-privilege credentials. The group targeted developers and admins tied to China's interests and removed the malware after operations. They used legitimate admin accounts to move laterally and extracted sensitive files like ntds.dit.
Google has warned of the Brickstorm backdoor targeting U.S. legal and tech sectors. The end goal of the attacks is the exfiltration of emails via Entra ID apps. Mandiant has linked the activity to China-nexus APT UNC5221, known for exploiting zero-days for espionage and broader access. Google Threat Intelligence Group observed Brickstorm's use since March 2025, targeting legal, SaaS providers, BPOs, and tech firms.
Read also:
- Leapmotor Expands Globally, Eyes New Markets Beyond China and Europe
- Rescued Pony's Distress Leads to Animal Cruelty Investigation in Italy
- Johnson & Johnson collaborates with Ho Chi Minh City Oncology Hospital to enhance cancer treatment availability
- Water-Based Adhesives Industry Forecasted to Reach USD 51.6 Billion by 2034
