Notably, unlike the Linux variant reported by Mandiant, the Windows samples lack direct command execution capabilities—a suspected deliberate choice to evade detection by security solutions that analyze parent-child process relationships. The analysts noted that these persistent intrusions are part of the PRC’s cyber operations, which are among the most active offensive programs globally, backed by a diverse network of military, state, and state-aligned operators. What sets BRICKSTORM apart is its multi-layered, sophisticated command and control infrastructure designed to circumvent common network-level security solutions. The malware, linked to the China-nexus threat cluster UNC5221, has evolved from previously only targeting Linux vCenter servers to now affecting Windows environments as well, indicating a significant expansion in the threat actor’s capabilities and reach. Cybersecurity experts have uncovered a sophisticated backdoor malware called BRICKSTORM being deployed by Chinese state-aligned hackers against European industries of strategic importance. As espionage campaigns continue to target industries of strategic interest to China, this sophisticated malware represents a persistent threat to organizations across Europe and potentially worldwide. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These backdoor samples are believed to be part of long-running cyber espionage campaigns active since at least 2022. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The focus on espionage operations has long been linked to China’s political strategy, which considers economic strengthening as a matter of national security. The malware resolves its Command & Control servers through DoH (DNS over HTTPS), effectively hiding DNS lookups from typical monitoring systems. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Through these backdoors, adversaries can browse file systems, create or delete arbitrary files and folders, and tunnel network connections for lateral movement. The malware’s first-tier infrastructure is hosted on legitimate cloud services, making it difficult to distinguish from normal traffic. Detection of BRICKSTORM presents significant challenges due to its use of legitimate services and multi-layered encryption.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Apr 2025 12:30:20 +0000