Google Warns of BRICKSTORM Malware Driving Supply Chain Intrusions

Google researchers have found that China-linked hackers are infiltrating US technology companies, SaaS providers, and law firms using stealthy malware that evades traditional defenses. 

The campaign highlights an escalating wave of supply chain-style intrusions that quietly exfiltrate sensitive data from both vendors and their customers. Google has called it one of the most significant supply-chain hacks in recent memory.

“In the United States, this is next-level activity, and we’re only going to learn more about it over time,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group (GTIG).

How the attack works

At the core of these intrusions is a backdoor called BRICKSTORM, a Go-based malware family that is planted on systems typically lacking endpoint detection and response (EDR) coverage, such as VMware ESXi hypervisors, email gateways, and vulnerability scanners. 

Once deployed, BRICKSTORM provides SOCKS proxy functionality and enables covert persistence. In some cases, attackers also installed BRICKSTEAL, a malicious Java Servlet filter on VMware vCenter servers, which intercepted administrator credentials and enabled further lateral movement.

What makes BRICKSTORM especially dangerous is its ability to evade security tools for long periods. Google reported an average “dwell time” of 393 days before detection, giving adversaries more than a year to collect emails, siphon source code, and prepare follow-on operations. This extended stealth defies industry improvements in breach detection speed.

By stealing source code and product flaw data, UNC5221 is positioning itself to weaponize future zero-day vulnerabilities. 

Analysts also warn that the campaign’s stealth, patience, and infrastructure discipline—such as never reusing command-and-control IP addresses — reflect a long-term espionage effort tied to national security and trade intelligence priorities.

Impact of the attack

According to Google, the intrusions are being driven primarily by a China-linked group known as UNC5221, a threat actor that has repeatedly targeted US organizations with long-term, stealthy operations. 

While UNC5221 appears to be the dominant force, researchers believe other Chinese state-backed groups are sharing tools and infrastructure, broadening the campaign’s reach and sophistication.

The victim profile spans multiple critical sectors. Technology suppliers and SaaS providers have been breached, giving attackers potential access not only to the companies themselves but also to the sensitive data they host on behalf of their customers. 

Legal firms have also been targeted, with attackers specifically searching the emails of individuals involved in US national security and international trade cases. Enterprise technology vendors have also been compromised, with evidence suggesting that attackers have stolen source code for widely used products. This theft may allow adversaries to uncover hidden vulnerabilities that could be exploited in future operations.

What makes this campaign especially concerning is the supply chain dimension. By compromising upstream vendors and service providers, the attackers gain indirect access to a wide array of downstream networks and customers. 

A single breach at a SaaS provider or enterprise technology company can cascade across industries, amplifying the scope of impact far beyond the initial victim. Google describes this as a “risk multiplier” for the US digital ecosystem, echoing past incidents such as the SolarWinds compromise where trusted suppliers became conduits for espionage at scale.

Overall, the impact of UNC5221’s activity is not confined to individual targets. Instead, it threatens to ripple across critical infrastructure, private industry, and even national security, highlighting how state-backed cyber campaigns leverage the interconnectedness of modern IT supply chains to maximize their reach and effectiveness.

What organizations can do

Organizations can take the following actions:

• Scan for BRICKSTORM using YARA rules or Google’s newly released detection tools.
• Audit appliances such as ESXi, VPN concentrators, and edge devices that are often excluded from centralized logging.
• Review vCenter logs for suspicious cloning of domain controllers or password vault servers.
• Restrict internet access from appliance management interfaces and enforce strict least-privilege controls.
• Harden VMware environments by enabling multi-factor authentication (MFA), enforcing lockdown mode, and forwarding audit logs to a SIEM.

For enterprises and service providers alike, the BRICKSTORM campaign underscores a crucial truth: protecting supply chain ecosystems necessitates patching, monitoring, and visibility into the overlooked edge appliances, where today’s most advanced adversaries now reside.

Discover more about edge security and the best practices organizations can implement to enhance these often-overlooked defenses.