Chinese Hackers Deploy New BRICKSTORM Malware Targeting Both Windows and Linux Systems

16.04.2025

Cybersecurity researchers have identified a new evolution of BRICKSTORM, a stealthy backdoor malware linked to the China-aligned threat group UNC5221. Initially targeting Linux vCenter servers, BRICKSTORM has now expanded its reach to include Windows environments, signaling a significant escalation in the threat actor’s technical capabilities and operational scope. These activities appear to be part of a long-running espionage campaign active since at least 2022.

Unlike financially motivated attacks, BRICKSTORM is used in strategic cyber espionage campaigns with a focus on long-term infiltration. The malware enables adversaries to quietly browse file systems, manage files and folders, and tunnel network connections—allowing for stealthy lateral movement within compromised environments. Interestingly, the Windows version of BRICKSTORM omits direct command execution capabilities, likely as a tactic to avoid triggering detection mechanisms in endpoint security tools.

The malware uses advanced persistence techniques, such as scheduled tasks on Windows, and is written in Go 1.13.5. Its true sophistication lies in its command-and-control (C2) architecture, which features multiple layers of encryption. BRICKSTORM communicates with its operators through HTTPS connections to serverless cloud platforms, upgrading those sessions to WebSockets and nesting additional layers of TLS encryption. This setup makes traffic analysis and malware detection particularly difficult.

BRICKSTORM also conceals its infrastructure by leveraging DNS over HTTPS (DoH) through providers like Cloudflare, Google, Quad9, and NextDNS. This approach masks DNS queries and further obscures the malware’s presence within enterprise networks. First-tier infrastructure is hosted on legitimate cloud services, while deeper infrastructure components—like those hosted on Vultr—have remained active since at least late 2022.

As the campaign continues to target industries of strategic relevance across Europe, BRICKSTORM represents a serious and persistent threat. Security experts recommend organizations monitor for unusual long-running processes, inspect encrypted TLS traffic, and block access to public DoH providers to help detect and defend against this covert cyber espionage tool.