UNC5221 Uses BrickStorm Backdoor to Target Southeast Asian Entities

In a recent cyber espionage campaign, the threat group UNC5221 has been observed deploying the BrickStorm backdoor to infiltrate and monitor entities across Southeast Asia. This sophisticated attack highlights the increasing use of advanced persistent threats (APTs) leveraging custom malware to conduct prolonged surveillance and data exfiltration. The BrickStorm backdoor, known for its stealth and resilience, enables attackers to maintain persistent access to compromised systems, facilitating extensive intelligence gathering. Organizations in the region are urged to enhance their cybersecurity measures, including network monitoring, endpoint protection, and employee awareness training, to mitigate the risks posed by such targeted intrusions. This article delves into the tactics, techniques, and procedures (TTPs) employed by UNC5221, the implications for regional cybersecurity, and recommended defense strategies to counteract these evolving threats.

This Cyber News was published on thehackernews.com. Publication date: Thu, 25 Sep 2025 03:29:03 +0000

Cyber News related to UNC5221 Uses BrickStorm Backdoor to Target Southeast Asian Entities

UNC5221 Uses BrickStorm Backdoor to Target Southeast Asian Entities - In a recent cyber espionage campaign, the threat group UNC5221 has been observed deploying the BrickStorm backdoor to infiltrate and monitor entities across Southeast Asia. This sophisticated attack highlights the increasing use of advanced ...
3 months ago Thehackernews.com UNC5221

Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation - Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early ...
1 year ago Mandiant.com CVE-2023-46805 CVE-2024-21887

Southeast Asian cyber fraud industry at ‘inflection point’ as it expands globally | The Record from Recorded Future News - Another one of those areas is the Pacific islands, where criminal groups with connections to the Southeast Asian fraud industry have built up infrastructure like casinos and resorts and have taken advantage of citizenship-by-investment schemes on ...
8 months ago Therecord.media

BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian

Chinese Hackers BrickStorm Targeting Southeast Asia with Espionage Campaign - Chinese threat actors known as BrickStorm have been identified conducting a sophisticated espionage campaign targeting Southeast Asian countries. This group employs advanced malware and phishing techniques to infiltrate government and private sector ...
3 months ago Infosecurity-magazine.com BrickStorm

Chinese Hackers Using New BRICKSTORM Malware to Attack Windows & Linux Machines - Notably, unlike the Linux variant reported by Mandiant, the Windows samples lack direct command execution capabilities—a suspected deliberate choice to evade detection by security solutions that analyze parent-child process relationships. The ...
8 months ago Cybersecuritynews.com

China-linked hackers target BrickStorm backdoor IP addresses - China-linked hackers have been observed targeting IP addresses associated with the BrickStorm backdoor, a sophisticated malware used for persistent access and espionage. This campaign highlights the ongoing cyber espionage efforts attributed to ...
3 months ago Therecord.media China-linked hackers

New BrickStorm: A Stealthy Backdoor Targeting Windows Systems - Cybersecurity researchers have uncovered a new stealthy backdoor named BrickStorm that targets Windows systems. This sophisticated malware is designed to evade detection and maintain persistent access to compromised networks. BrickStorm employs ...
3 months ago Cybersecuritynews.com

Chinese Hackers Employ New Reverse SSH Tool to Attack Organizations - A sophisticated Chinese hacking group known as Billbug (also tracked as Lotus Blossom, Lotus Panda, and Bronze Elgin) has intensified its espionage campaign across Southeast Asia, employing a new custom Reverse SSH Tool to compromise high-value ...
8 months ago Cybersecuritynews.com Lotus Blossom

Google: BrickStorm malware used to steal US orgs' data for over a year - The BrickStorm malware has been actively used for over a year to steal sensitive data from U.S. organizations, according to recent reports. This sophisticated malware campaign has targeted various sectors, exploiting vulnerabilities to infiltrate ...
3 months ago Bleepingcomputer.com

Russian Sandworm Group Using Novel Backdoor to Target Ukraine - Russian nation-state group Sandworm is believed to be utilizing a novel backdoor to target organizations in Ukraine and other Eastern and Central European countries, according to WithSecure researchers. The previously unreported backdoor, dubbed ...
1 year ago Infosecurity-magazine.com

Senator presses Musk on Starlink ‘misuse’ by Southeast Asian scammers | The Record from Recorded Future News - “While SpaceX has stated that it investigates and deactivates Starlink devices in various contexts, it seemingly has not publicly acknowledged the use of Starlink for scams originating in Southeast Asia — or publicly discussed actions the company ...
4 months ago Therecord.media

Southeast Asian casino industry supercharging cyber fraud, UN says - The expanding Southeast Asian casino industry has become the nexus of the region's criminal ecosystem, including its cyber fraud industry, and it is facilitating large-scale money laundering by organized crime networks, a new United Nations report ...
1 year ago Therecord.media

New FinalDraft malware abuses Outlook mail service for stealthy comms - A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country. The attack begins with the threat actor compromising the targer's system with ...
10 months ago Bleepingcomputer.com

Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware - "The attacker then said administrative credentials were obtained from the company's intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers," ...
10 months ago Darkreading.com Dragonfly

Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets - A group of pro-Hamas attackers known as the Gaza Cybergang is using a new variation of the Pierogi++ backdoor malware to launch attacks on Palestinian and Israeli targets. According to research from Sentinel Labs, the backdoor is based on the C++ ...
2 years ago Darkreading.com

Southeast Asian Scam Centers Face Financial Sanctions - Southeast Asian scam centers are increasingly under scrutiny as financial sanctions target their operations. These centers, known for orchestrating large-scale fraud and scams, have become a significant concern for global cybersecurity and financial ...
3 months ago Darkreading.com

MITRE Links Recent Attack to China-Associated UNC5221 - MITRE recently provided further insight into the recent cyber intrusion, shedding light on the new malicious software employed and a timeline detailing the attacker's actions. In April 2024, MITRE announced a breach in one of its research and ...
1 year ago Cysecurity.news

Signature Techniques of Asian APT Groups Revealed - The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures employed by Asian Advanced Persistent Threat groups. The 370-page report, Modern Asian APT groups: Tactics, Techniques and ...
2 years ago Infosecurity-magazine.com

Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor - The latest version of the Kazuar backdoor could be more sophisticated than previously imagined, according to Palo Alto Networks. The Kazuar backdoor was used by the Russian hacking group Turla to target the Ukrainian defense sector in July 2023, the ...
2 years ago Infosecurity-magazine.com Turla

More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll - Ivanti has finally begun patching a pair of zero-day security vulnerabilities disclosed on Jan. 10 in its Connect Secure VPN appliances. It also announced two additional bugs today in the platform, CVE-2024-21888 and CVE-2024-21893 - the latter of ...
1 year ago Darkreading.com CVE-2024-21888 CVE-2024-21893

Ivanti zero-day victim count grows as Mandiant weighs in The Register - Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team. The software biz disclosed the vulnerabilities in Ivanti Connect Secure - the VPN server appliance previously ...
1 year ago Go.theregister.com CVE-2023-46805 CVE-2024-21887 Hunters

Ivanti zero-day victim count grows as Mandiant weighs in The Register - Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team. The software biz disclosed the vulnerabilities in Ivanti Connect Secure - the VPN server appliance previously ...
1 year ago Theregister.com CVE-2023-46805 CVE-2024-21887 Hunters

Iran's Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector - In its latest campaign, Iranian state-backed hackers, Peach Sandstorm, employs FalseFont backdoor for intelligence gathering on behalf of the Iranian government. Cybersecurity researchers at Microsoft Threat Intelligence Unit have uncovered the ...
2 years ago Hackread.com

US wants to cut off key player in Southeast Asian cybercrime industry | The Record from Recorded Future News - The department’s Financial Crimes Enforcement Network (FinCEN) issued the proposed rulemaking Thursday, stating that Huione has helped launder funds from North Korean state-backed cybercrime operations and investment scams originating in Southeast ...
7 months ago Therecord.media