New versions of a known backdoor linked to a China-associated threat actor have recently been identified in the networks of several European organizations.
Security experts at Nviso, a Belgian cybersecurity startup, uncovered new Windows-based samples of the malware dubbed Brickstorm. In research released on April 15, Nviso tied these variants to cyber-espionage campaigns by UNC5221, a China-linked group previously associated with high-profile breaches, including last year’s MITRE hack.
Brickstorm was originally exposed by Mandiant in 2023 when it was found on Linux servers running VMware vCenter. Now, Nviso has confirmed Windows variants were detected in multiple incident response cases across strategic European sectors, believed to be of national interest to the People’s Republic of China (PRC).
China Backdoor Covert Capabilities
The backdoor enables malicious actors to navigate through file systems, create or delete files and directories, and use network tunneling to move laterally within networks. Despite only recently being flagged, Nviso confirmed these backdoors have been operational for years.
“From the samples we’ve collected during our incident response efforts, it’s clear they’ve been in use since at least 2022,” said Michel Coene, Nviso’s director of incident response, threat hunting, and threat intelligence, in a statement to Dark Reading. “Although undetected until now, it’s possible the malware has existed even longer, though we’ve found no proof of earlier use.”
While Mandiant first reported the Linux variant, Coene noted that the Windows versions predate them by a significant margin and were likely the basis from which the Linux strains evolved.
“This theory is reinforced by infrastructure timelines,” Coene explained. “While the Linux version’s infrastructure was a few months old, the Windows variant relied on systems dating back to 2022—possibly earlier.”
Subtle Differences, Stealthier Tactics
One key difference is that the Windows version lacks direct command execution functionality. According to Nviso, this omission was likely deliberate to help evade detection from advanced security tools.
“Rather than issuing direct commands, attackers leverage tunneling in conjunction with valid credentials to exploit common protocols such as RDP and SMB, achieving a similar effect,” Nviso explained in its report.
Engineered to Evade
These Windows-based versions were developed to bypass network-level protections like DNS monitoring, TLS inspections, and even geo-blocking. Though network tunneling isn’t a novel method, when used by advanced groups like UNC5221, its effectiveness is amplified.
“Brickstorm’s functionalities might seem basic at a glance, but they are highly effective,” Nviso said. “Their longevity and continued infrastructure upkeep show the importance of reinforcing defenses and constantly auditing for abnormal activity in at-risk industries.”
Further complicating detection, UNC5221 reportedly uses reputable cloud service providers to operate its command-and-control (C&C) servers. This allows Brickstorm traffic to blend into legitimate network activity, making attribution and analysis difficult for defenders.
Adding another layer of stealth, the malware connects to C&C infrastructure via DNS over HTTPS (DoH), a privacy-focused protocol that hampers conventional network monitoring tools.
Although Brickstorm doesn’t require DoH to function, Nviso recommended organizations block access to known DoH providers. The company also advised reevaluating TLS inspection tools to ensure they can identify or block encrypted sessions layered within TLS tunnels.
