Chinese Hackers Deploy BRICKSTORM Malware to Target Both Windows and Linux Systems

Chinese state-aligned threat actors, linked to the UNC5221 cluster, have been observed deploying novel variants of the BRICKSTORM malware, a sophisticated backdoor engineered to target both Windows and Linux environments.

First identified on a Linux vCenter server, recent technical analyses by NVISO confirm the evolution of BRICKSTORM into Windows executables, signaling a strategic shift to achieve persistent, covert access across a wider range of enterprise systems.

Active since at least 2022, BRICKSTORM has been utilized in protracted cyber espionage campaigns mainly targeting European industries of strategic significance to the People’s Republic of China (PRC).

Unlike financially driven ransomware groups, Chinese advanced persistent threats (APTs) prioritize stealth and long-term infiltration, leveraging zero-day vulnerabilities and custom, low-noise backdoors like BRICKSTORM to exfiltrate intellectual property and support Beijing’s industrial and economic ambitions.

Technical Analysis

The newly identified Windows variants of BRICKSTORM are Go-based binaries, operating without exported functions and using scheduled tasks for persistence.

Notably, these samples provide adversaries with extensive file management and network tunneling capabilities, but conspicuously lack built-in command execution functions.

Instead, attackers exploit the network tunneling feature combined with stolen credentials to perform actions over familiar protocols such as RDP or SMB, likely as a detection evasion tactic given the scrutiny applied to process creation chains by modern security solutions.

BRICKSTORM’s file manager exposes an HTTP API and a minimalist user interface, enabling operators to upload, download, rename, and delete files, as well as manage directories.

Its JSON-based API further supports programmatic interaction, broadening operational flexibility for adversaries.

Beyond file management, the malware’s network tunneling module supports TCP, UDP, and ICMP relaying, facilitating lateral movement and interactive sessions throughout compromised environments.

Configuration options underscore BRICKSTORM’s adaptability. Operators can define authentication keys, server addresses, and DNS over HTTPS (DoH) hosts, with newer variants supporting hard-coded IP address lists for added resilience against DoH blocking.

Interestingly, TLS certificate validation is consistently disabled, while nested TLS connections up to three layers deep are employed to obfuscate and encrypt command-and-control (C2) communications, effectively defeating many network inspection and monitoring controls.

The C2 architecture utilizes reputable cloud services, such as Cloudflare Workers and Heroku, acting as reverse proxies to mask malicious traffic among legitimate cloud-based activities.

This multi-tiered infrastructure strategy, combined with DoH for domain resolution even across services like Quad9, NextDNS, Cloudflare, and Google renders traditional DNS logging largely ineffective in identifying C2 domains.

(Security teams should note that these domains are resolved via DoH, making them invisible to standard DNS logs.)

Given its advanced evasion techniques and cloud-centric infrastructure, BRICKSTORM presents significant detection challenges.

Experts recommend blocking enterprise access to public DoH providers and implementing TLS inspection capable of identifying nested TLS tunnels.

Continuous environment auditing for rare or suspicious processes, particularly those matching the above IoCs, is advised for organizations at heightened risk.

The emergence of cross-platform, modular, and cloud-enabled backdoors like BRICKSTORM highlights the necessity for adaptive, multi-layered defense strategies to combat evolving state-sponsored cyber threats.

Indicators of Compromise (IoCs):

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates