Security leaders are observing a common pattern across the high-stakes threat campaigns. They are not orchestrating attacks by deploying novel malware, but by exploiting visibility gaps and moving through legitimate administrative paths. In the BRICKSTORM espionage campaign, adversaries prioritize environments where centralized logging and endpoint coverage are often limited, helping them maintain long-term access with limited chances for detection. The BRICKSTORM espionage campaign, as detailed by Google Threat Intelligence Group (GTIG) and Mandiant, highlights adversaries focused on maintaining long-term access and operational flexibility, rather than quick financial gain. These intrusions generated minimal security telemetry and often went undetected for extended periods, averaging 393 days. This has significant implications for log retention, investigation strategies, and the time it takes for executives to gain clarity when an incident is suspected.

What is the BRICKSTORM Campaign?

The BRICKSTORM campaign is a sophisticated, long-term espionage operation that leverages a custom Go-based backdoor, designed for stealthy and persistent access. It includes ELF samples for Linux-style environments, enabling attackers to maintain secure command-and-control (C2) communications over extended periods.

Google Threat Intelligence Group (GTIG) attributes the campaign to the Chinese threat actor group UNC5221. According to the CISA, NSA, and Canadian Centre for Cyber Security’s joint malware analysis report, BRICKSTORM is part of a state-sponsored effort aimed at achieving long-term persistence in targeted environments. For security leaders, the key takeaway is simple: expect sustained access, with significant challenges around identifying the initial compromise due to extended dwell times and pressure on identity and control-plane systems.

How does the BRICKSTORM Campaign work?

To understand the full scope of BRICKSTORM's impact, it's important to break down its operational mechanics. This campaign stands out not only for its stealth and persistence but also for its methodical use of legitimate pathways within an environment. BRICKSTORM exploits weaknesses in common administrative systems and leverages low-profile tactics to maintain access over extended periods. By focusing on areas with limited visibility, such as appliances and virtualization platforms, the attackers ensure their foothold remains undetected for as long as possible. Now, let's look at how BRICKSTORM infiltrates and moves within an organization, starting with its delivery and intrusion chain.

Delivery and Intrusion Chain

Attackers involved in the BRICKSTORM campaign often use a repeatable attack pathway, highlighting the risks associated with insufficient segmentation, service-account governance, and management-plane hardening in mature environments. In one case, attackers gained access to a DMZ web server via a web shell. Once in the DMZ, the attackers used identity-led tactics and administrative paths to move laterally. They leveraged service account credentials and remote access (via RDP) to access a domain controller and copy the Active Directory database (ntds.dit). They then used these credentials, including an MSP account, to access VMware vCenter, as well as to move through SMB to jump servers and exfiltrate cryptographic keys.

Core Capabilities and Operator Value

The attackers in the BRICKSTORM campaign offer a mix of resilient access and stealthy communications that blend into normal enterprise traffic. BRICKSTORM’s C2 infrastructure is designed to evade detection by using encryption layers such as HTTPS, WebSockets, and DNS-over-HTTPS (DoH), as well as mimicking web server functionality. These techniques make traditional “block suspicious DNS” or “alert on rare domains” strategies ineffective, especially when compromised hosts communicate over standard ports and protocols.

On the host side, BRICKSTORM enables interactive shell access, file browsing, and critical SOCKS proxy functionality, which can facilitate lateral movement to internal systems through a trusted foothold.

Persistence Mechanics

Persistence is a key characteristic of BRICKSTORM, as it ensures attackers maintain access even after reboots or remediation efforts. The malware’s self-watching functionality allows it to restart or reinstall if disrupted. This mechanism significantly raises the cost of containment. Additionally, operators modify startup scripts (e.g., init.d, rc.local, systemd files) to ensure BRICKSTORM restarts on appliance reboots. This makes it harder to detect and remove in environments without rigorous configuration monitoring.

Why VMware Control Planes Are a Force Multiplier

A compromise of VMware vCenter or ESXi escalates the severity of an incident because it shifts the attacker’s leverage from a single host to the entire environment. vCenter allows for operations like creating, cloning, or manipulating virtual machines (VMs), which can be used to extract credentials or other sensitive data without triggering endpoint detection systems.

Once attackers gain access to vCenter, they can clone VMs (e.g., domain controllers, identity providers) and exfiltrate sensitive data offline, without ever powering on the clone. This ability to work quietly and avoid endpoint controls is operationally decisive. For executives, the implication is clear: a vCenter compromise can render assumptions about segmentation, identity security, and endpoint telemetry unreliable during incident response.

Detection, Mitigation, and Preparedness Playbook

Detection Strategy That Matches the Tradecraft

A key mistake many executives make is assuming that Endpoint Detection and Response (EDR) visibility equals comprehensive enterprise visibility. BRICKSTORM exploits the opposite, targeting appliances and platforms that do not support traditional EDR, lack centralized logging, and are poorly inventoried. The average dwell time of 393 days, combined with minimal security telemetry, means that initial access may be lost in the noise of routine system operations.

To detect BRICKSTORM, focus on behavior-driven patterns rather than relying solely on malware signatures. Look for anomalies in administrative activities, especially in identity and virtualization systems. Key areas to focus your telemetry efforts on include:

• vCenter/ESXi audit trails: Unusual authentication sources, new local accounts, enabling of SSH, or unexpected admin actions.
  
  
  

• Identity systems: Suspicious service-account use, privilege escalations, and authentication paths from DMZ assets to internal control planes.
  
  
  

• Network behaviors: Unusual DoH usage, web-like C2 traffic, and outbound traffic from appliance management interfaces that should not be interacting with the public internet.
  
  
  

The leadership takeaway is to treat appliance and management-plane telemetry as first-class security data. If your SOC cannot confidently answer what changed on the vCenter appliance last week, you are unknowingly accepting long-dwell risks.

Mitigation Actions That Reduce Blast Radius

To mitigate the impact of BRICKSTORM, focus on reducing the attacker’s leverage, rather than merely removing artifacts. Start by hardening and segmenting your management planes, ensuring vCenter and ESXi interfaces are accessible only through controlled administrative channels (e.g., establishing strong MFA protocols). Service accounts should be treated as privileged identities, with lifecycle governance, limited scope, and strict authentication.

Appliance security is also crucial. If your appliances cannot support EDR, compensate by enforcing centralized logging, configuration monitoring, and restricting outbound internet access. Google’s reporting highlights the actor’s preference for weakly monitored appliance platforms, so the goal is to make these systems visible and controlled, even if they cannot run EDR.

Finally, ensure your incident response plan is prepared for advanced persistent threats. Preservation of evidence and escalation protocols should be aligned with the reality that early-stage evidence may be gone after several months of undetected presence.

How RiskProfiler’s Agentic AI-Powered Threat Intelligence Improves Outcomes

BRICKSTORM-style campaigns thrive on correlating small signals over long timeframes. Many organizations gather security intel, but only a few can consistently correlate, map, and prioritize it across their attack surface, identity systems, and control planes. An agentic AI-powered threat intelligence platform, such as RiskProfiler, becomes an operational advantage by treating it as a workflow discipline rather than just a tool. RiskProfiler’s proprietary agentic AI module, KnyX AI, continuously monitors your external attack surface, cloud exposures, vendor integrations, and relevant malware and threat signals to present your SOC with real-time threat intelligence mapped to your digital ecosystem.

External Attack Surface Management: RiskProfiler’s KnyX Recon AI strengthens early detection by continuously discovering and tracking internet-facing assets, shadow IT, exposed services, unusual traffic, suspicious IP requests, and high-risk configuration drift. By correlating these findings with identity signals and known adversary behaviors, teams can prioritize the exposures most likely to become initial access paths in BRICKSTORM-style intrusions.

Cloud Exposure Intelligence: KnyX Cloud AI improves containment readiness by mapping cloud misconfigurations and exposed cloud services to business-critical workloads and control planes. This helps security teams distinguish “noisy” cloud findings from exposure that can realistically enable credential abuse, lateral movement, or persistence across hybrid environments.

Third-Party Risk Management: KnyX Vendor AI reduces blind spots by monitoring vendor and partner exposure, tracking changes in supplier security posture, and linking third-party risk to internal dependencies and access relationships. This helps teams identify which vendor-connected pathways could expand the blast radius in an advanced persistent threat campaign and prioritize controls around integrations, privileged access, and shared administrative surfaces.

Dark Web Monitoring: RiskProfiler’s KnyX Dark Web AI monitors for stolen credentials and session artifacts that can enable identity-led lateral movement, and it tracks references to malware hashes and C2 infrastructure that align with BRICKSTORM’s stealthy communications patterns, including web-like traffic and DNS-over-HTTPS. By correlating those external indicators back to your exposed users, domains, and internet-facing assets, teams can narrow investigation scope faster, prioritize credential resets and access reviews, and decide when suspected infrastructure overlap warrants immediate hunting and containment.

Cyber Threat Intelligence: KnyX Intel AI continuously ingests live IoCs and exposure updates (domains, IPs, hostnames, file hashes) and then validates them in context so the SOC can distinguish routine background scanning from activity that resembles a targeted intrusion chain. For campaigns that rely on stealthy C2 and long dwell time, it helps map suspicious infrastructure and behaviors back to internal telemetry, enriches findings with adversary attribution where relevant, and provides contextual clarity across identity activity and virtualization management planes. In parallel, it supports faster containment by highlighting malicious IP activity worth blocking and by issuing real-time alerts for CVEs and active exploitation that could plausibly enable the “unclear initial access” reality seen in BRICKSTORM incidents.

Executive Takeaways: Preparing Ahead of BRICKSTORM-Style Campaigns

BRICKSTORM underscores that sophisticated backdoors are less about novelty and more about operational fit. Adversaries use stealthy communications, durable persistence, and placement on platforms outside default visibility to maintain long-term access. Given the persistence window observed in this campaign (April 2024 to at least September 2025), leadership must prepare for long-duration exposure, not short-term incidents.

Preparation should include:

Integrated Monitoring and Control

Since attackers in the BRICKSTORM campaign exploit platforms that lack typical EDR coverage, organizations need strong monitoring and control of critical systems, including appliances and virtualization management systems like VMware vCenter/ESXi. Effective monitoring should involve centralized logging, configuration tracking, and continuous inventory management to fill gaps where traditional EDR solutions fall short.

Proper internal and external visibility is crucial for identifying threats across the entire attack surface. RiskProfiler enhances external monitoring by continuously scanning for exposed assets, misconfigurations, and shadow IT. Through KnyX Recon AI, RiskProfiler provides a more efficient, comprehensive view of external risks, exposures, and asset drifts, helping teams proactively address vulnerabilities that may otherwise go undetected.

Intelligence-Driven Prioritization

As the threat landscape evolves, organizations must prioritize remediation efforts based on real-time intelligence. Traditional security measures often fall short in addressing the complex and emerging threats of today. Today’s agentic AI-powered threat intelligence maps threats, exposures, and vulnerabilities across systems, offering comprehensive visibility into potential attack paths. This approach helps identify which threats pose the greatest risk and need immediate attention, enabling data-backed prioritization.

RiskProfiler’s KnyX AI enhances this by correlating data across 26 integrated modules, offering a more efficient, holistic view of external threats. By simulating attack paths and contextualizing intelligence, KnyX AI helps security teams quickly identify, prioritize, and address the most critical vulnerabilities, enabling faster, more effective responses to advanced threats like BRICKSTORM.

Threat Hunting and Incident Retention

In campaigns where dwell times can extend for months, incident response and threat hunting must be proactive. Given the likelihood of lost early-stage evidence due to long detection windows, it’s essential to design investigations based on cross-domain correlation. KnyX AI enhances this process by continuously integrating threat data across identity systems, network traffic, and administrative controls. By linking disparate data sources, RiskProfiler enables teams to quickly track lateral movements and ensure that response efforts are targeted and timely, even when initial evidence is scarce.

Dark Web Monitoring and Cyber Threat Intelligence

Proactive monitoring of the dark web for exposed credentials, identity leaks, and discussions related to privileged access is critical in early-stage detection. KnyX Dark Web AI continuously tracks and flags relevant dark web activity, alerting security teams to potential threats before they escalate. Combined with KnyX Intel AI, which processes cyber threat intelligence feeds, organizations can map adversary tradecraft to internal systems, track infrastructure overlaps, and gain actionable insights for better decision-making. This integrated threat intelligence framework supports faster identification of compromised credentials and malicious infrastructure, allowing for swift containment actions.

Conclusion

The BRICKSTORM espionage campaign demonstrates the persistent nature of modern cyber threats. Adversaries are increasingly focusing on environments with weak visibility, leveraging long-term access through stealthy methods. For security leaders, this highlights the need to harden control planes, improve appliance visibility, and adopt intelligence-driven exposure management strategies.

RiskProfiler’s integrated suite of AI-powered modules, including KnyX Recon AI, KnyX Dark Web AI, KnyX Vendor AI, and KnyX Intel AI, provides a comprehensive solution for threat detection, prioritization, and mitigation. By bringing together diverse threat signals from the external attack surface, dark web, third-party risks, and cyber threat intelligence, RiskProfiler enables organizations to strengthen their security posture and respond proactively to threats like BRICKSTORM.

In a landscape where threats evolve rapidly, leveraging an intelligence-led approach to security, integrating agentic AI-powered tools and workflows, empowers organizations to stay ahead of adversaries, reduce risks, and ensure long-term security resilience.