Listen To This Story

For years Chinese state-backed hackers have apparently been running circles around defenders with BrickStorm. 

Google’s Mandiant just went public this week, dropping a free detection tool and a stark warning: Many organizations will discover they’ve been compromised for more than a year.

This isn’t just another hack headline. It’s a new chapter in the story of stealth digital attacks that shows how nation-states are evolving past even their most notorious campaigns.

The BrickStorm Blind Spot

BrickStorm hides on internet-facing gear like routers, firewalls, “smart” devices, and VPNs where endpoint detection response (EDR) or other host agents can’t be installed, so it’s mostly invisible.

It gains access by exploiting unpatched devices or using stolen login credentials.
Once inside, it quietly steals source code to find and create zero-day vulnerabilities, turning each victim into a factory to create future attacks.

How BrickStorm Breaks the Mold

To understand why BrickStorm is different, it helps to look back at past attacks

• SolarWinds (Russia, 2020): A supply-chain attack that trojanized trusted updates, compromising thousands by hiding inside legitimate software.
• Volt Typhoon (China, exposed 2023): Targeted US critical infrastructure by abusing built-in system tools and admin workflows to blend in with legitimate IT activity.
• Equation Group / NSA leaks (2015+): Revealed that elite actors hoard zero-days and implant deep, resilient persistence, with stealth built on technical sophistication.

BrickStorm’s twist: Instead of using stolen zero-days, attackers are now manufacturing them from stolen source code. This sets off a chain reaction: the breach of one victim fuels the next. It’s a second-order risk we haven’t faced at this scale before.

Stealth — Then and Now

Then: SolarWinds was stealthy because no one checked software updates. Volt Typhoon was stealthy because no one looked closely at system tools.

Now: BrickStorm is stealthy because defenders can’t monitor the devices it hides on. This is not a policy gap but a technology gap. And unlike SolarWinds, which had a clear scope, BrickStorm leaves lasting uncertainty, even if removed, the zero-days it created are still in play.

What’s Next

Mandiant’s warning was blunt: Many companies will run the tool and realize they’ve been “owned” for more than a year. Incident responders are already triaging live cases.

It’s obvious that BrickStorm is the new template for future operations: persistent malware on unmonitored devices, exfiltrating code for zero-day farming. Now defenders need to rethink what “visibility” really means, not just on endpoints and servers, but across the entire digital perimeter.

BrickStorm’s danger isn’t just hiding. It turns every victim into fuel for the next attack. It shifts hacking from hit and run espionage to long-term exploitation pipelines.

Some hacks break tools, others expose supply chains. BrickStorm shows how unseen malware today may already be building the exploit that strikes tomorrow.

That’s not just stealth. That’s strategy.

VIDEO: BrickStorm Backdoor Analysis: A Persistent Espionage Threat To International Industries

From Off by One Security: “Recent information related to BrickStorm, a previously identified backdoor linked to the China-nexus cluster UNC5221, will be discussed. The two NVISO-identified BrickStorm samples — previously only sighted on a Linux vCenter server — were affecting Windows environments and targeting European industries of strategic interest to the People’s Republic of China (PRC). The technical insights will be concluded with mitigation and threat hunting recommendations.”

Mitigation Strategies for Edge Devices

The author writes, “The Australian Signals Directorate (ASD) has observed malicious actors targeting internet-facing ‘edge’ devices that act as security intermediaries between internal networks and the internet.”

Zero-Day Exploit Statistics: The 2025 Threat Report for Defenders

From DeepStrike: “What are the latest zero-day exploit statistics, and why should they command your immediate attention? The data is in, and it paints a stark picture of a threat landscape that has fundamentally shifted. While the total number of detected zero-day exploits fluctuates year to year, the overall volume of attacks has stabilized at a new, elevated baseline, far exceeding levels seen before 2021.”

‘Nightmare Scenario’: Watchdog Says AI Cybercrime Shows Vital Need for Regulation

The author writes, “The San Francisco-based artificial intelligence startup Anthropic revealed [in August] that its technology has been ‘weaponized’ by hackers to commit ransomware crimes, prompting a call by a leading consumer advocacy group for Congress to pass ‘enforceable safeguards”’to protect the public.”

UNC5221 Uses BrickStorm Backdoor to Infiltrate US Legal and Technology Sectors

From The Hacker News: “Companies in the legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. have been targeted by a suspected China-nexus cyber espionage group to deliver a known backdoor referred to as BrickStorm. The activity, attributed to UNC5221 and closely related, suspected China-nexus threat clusters, is designed to facilitate persistent access to victim organizations for over a year, Mandiant and Google Threat Intelligence Group (GTIG) said in a new report shared with The Hacker News.”

MITRE Hackers’ Backdoor Has Targeted Windows for Years

From SecurityWeek: “Windows versions of the BrickStorm backdoor that the Chinese APT used in the MITRE hack last year have been active for years.”