BRICKSTORM Backdoor Analysis: A Persistent Espionage Threat to European Industries

April 16, 2025, 6:21 p.m.

Description

This analysis examines BRICKSTORM, an espionage backdoor linked to China-nexus cluster UNC5221. It details newly identified Windows variants, expanding on previous Linux presence. The backdoor, used in long-term espionage campaigns, targets European industries of strategic interest to China. BRICKSTORM provides file management and network tunneling capabilities, using multiple layers of encryption and leveraging cloud providers to evade detection. The analysis covers the backdoor's inner workings, including its command and control infrastructure, protocol details, and evasion techniques. It highlights the persistent nature of these intrusions and the challenges they pose to defensive measures. The document concludes with recommendations for detection and mitigation strategies.

External References

https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf
https://otx.alienvault.com/pulse/67ffc3f88708691edc04184d
Tags
backdoor
espionage
brickstorm
evasion techniques
china-nexus
file management
2025-04-16
network tunneling
european industries

Date

  • Created: April 16, 2025, 2:51 p.m.
  • Published: April 16, 2025, 2:51 p.m.
  • Modified: April 16, 2025, 6:21 p.m.

Indicators

  • b42159d68ba58d7857c091b5acc59e30e50a854b15f7ce04b61ff6c11cdf0156
  • 42692bd13333623e9085d0c1326574a3391efcbf18158bb04972103c9ee4a3b8
  • ms-azure.azdatastore.workers.dev
  • ms-azure.herokuapp.com
Download all indicators here!

Attack Patterns

  • BRICKSTORM
  • UNC5221

Additional Informations

  • Technology
  • Manufacturing