Cybersecurity experts have uncovered a sophisticated backdoor malware called BRICKSTORM being deployed by Chinese state-aligned hackers against European industries of strategic importance.
The malware, linked to the China-nexus threat cluster UNC5221, has evolved from previously only targeting Linux vCenter servers to now affecting Windows environments as well, indicating a significant expansion in the threat actor’s capabilities and reach.
These backdoor samples are believed to be part of long-running cyber espionage campaigns active since at least 2022.
.png
)
Unlike common extortion-driven intrusions, these PRC-associated attacks employ exceptional discretion, enabling the actors to remain undetected for extended durations.
To achieve this strategic long-term placement, the attackers leverage low-noise backdoors alongside previously unknown vulnerabilities.
NVISO researchers identified two new Windows-based BRICKSTORM variants that expand upon its previous Linux presence.
The analysts noted that these persistent intrusions are part of the PRC’s cyber operations, which are among the most active offensive programs globally, backed by a diverse network of military, state, and state-aligned operators.
The focus on espionage operations has long been linked to China’s political strategy, which considers economic strengthening as a matter of national security.
The malware provides attackers with file manager and network tunneling capabilities. Through these backdoors, adversaries can browse file systems, create or delete arbitrary files and folders, and tunnel network connections for lateral movement. Written in Go 1.13.5, the Windows samples were found to rely on persistence mechanisms such as scheduled tasks for execution.
Notably, unlike the Linux variant reported by Mandiant, the Windows samples lack direct command execution capabilities—a suspected deliberate choice to evade detection by security solutions that analyze parent-child process relationships.
Command & Control Architecture
What sets BRICKSTORM apart is its multi-layered, sophisticated command and control infrastructure designed to circumvent common network-level security solutions.
.webp)
The malware resolves its Command & Control servers through DoH (DNS over HTTPS), effectively hiding DNS lookups from typical monitoring systems.
It leverages multiple public DoH providers including Quad9, NextDNS, Cloudflare, and Google:-
DohHost string ; "https://9.9.9.9/dns-query"
string ; "https://45.90.28.160/dns-query"
string ; "https://45.90.30.160/dns-query"
string ; "https://149.112.112.112/dns-query"BRICKSTORM employs an elaborate three-layered TLS encryption scheme to defeat monitoring at multiple levels. First, it connects to serverless providers like Cloudflare Workers or Heroku over HTTPS.
Second, it upgrades this connection to WebSockets and establishes a nested TLS connection inside the first one. Finally, when operators issue commands, a third layer of TLS encryption is established, as shown in Figure 11 of the NVISO analysis.
The malware’s first-tier infrastructure is hosted on legitimate cloud services, making it difficult to distinguish from normal traffic.
NVISO’s monitoring revealed that second-tier infrastructure is hosted on Vultr instances, which was inadvertently exposed during a maintenance window.
The malware’s infrastructure has been active since at least November 2022, with consistent authentication keys despite infrastructure changes.
Detection of BRICKSTORM presents significant challenges due to its use of legitimate services and multi-layered encryption.
Organizations are recommended to block DoH providers on their networks, monitor for suspicious long-running processes, and implement TLS inspection to detect nested TLS sessions.
As espionage campaigns continue to target industries of strategic interest to China, this sophisticated malware represents a persistent threat to organizations across Europe and potentially worldwide.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
