A sophisticated hacking campaign with Chinese fingerprints all over it has been quietly infiltrating European organizations since at least 2022. The culprit? BRICKSTORM malware, a nasty little backdoor linked to UNC5221, a China-nexus espionage cluster with a knack for staying hidden. These hackers aren’t amateurs – they’re patient, methodical, and apparently really good at their jobs.
Initially targeting Linux vCenter servers, BRICKSTORM has evolved to infect Windows systems too. Written in Go, it doesn’t execute commands directly on Windows but instead creates tunnels using legitimate credentials through RDP and SMB. Pretty clever, honestly. Makes it harder to spot unusual activity when it’s hiding behind valid user credentials.
The technical aspects of BRICKSTORM would make any security expert groan. The malware uses DNS over HTTPS to resolve Command & Control servers, effectively bypassing standard DNS monitoring. It relies on serverless providers like Cloudflare and Heroku to mask its origins. And the cherry on top? Nested encryption for communications. These folks really don’t want to be found. According to NVISO researchers, recent findings reveal two new BRICKSTORM samples that demonstrate ongoing maintenance of advanced threat capabilities. The specific backdoor capabilities enable attackers to conduct a wide range of activities from file theft to complete remote system access.
China’s hacking groups have been busy across Europe. APT31, Mustang Panda, MirrorFace, Salt Typhoon – the list goes on. Each group targets strategic sectors with remarkable persistence. APT31 even went after European politicians who dared criticize China. Bold move.
These attackers aren’t just randomly poking around networks. They’re after specific prizes: intellectual property, trade secrets, research data, and product developments. Government agencies, defense contractors, critical infrastructure – all in the crosshairs. Their targets read like a who’s who of European strategic assets.
The toolbox these hackers use is extensive. Zero-day vulnerabilities for initial access. Legitimate tools for movement once inside. Phishing attacks to snag credentials. And a variety of malware beyond BRICKSTORM, including ShadowPad, Spyder, and PlugX.
The scariest part? They’re in it for the long haul. These aren’t smash-and-grab operations. They’re establishing persistent footholds. Planning ahead. Waiting.
