1. Home
  2. Software
  3. BRICKSTORM

BRICKSTORM

BRICKSTORM is a cross-platform backdoor with variants written in Go and Rust that facilitates command and control, the ingress transfer of other malware, and the exfiltration of data.[1][2][3][4] BRICKSTORM has also been created from a .NET application using ahead-of-time (AOT) compilation to blend in within victim environments.[1] BRICKSTORM was first observed in April 2024.[5] BRICKSTORM has previously been leveraged by People's Republic of China (PRC) state-nexus actors identified as UNC6201, UNC5221, WARP PANDA, PunyToad, and SYLVANITE.[6][7][1][8][9][10][3][4]

ID: S9015
Type: MALWARE
Platforms: ESXi, Linux, Network Devices, Windows
Contributors: Dragos Threat Intelligence
Version: 1.0
Created: 16 April 2026
Last Modified: 23 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BRICKSTORM has communicated to hardcoded C2 through WebSockets (WSS) to include domains associated with Cloudflare Workers.[7][1][2][5][9][4] BRICKSTORM has also leveraged Gorilla mux library to serve its HTTP API calls.[9]
.004 Application Layer Protocol: DNS

BRICKSTORM has used DNS over HTTPS to resolve C2 infrastructure and obscure DNS traffic from inspection.[7][1][2][5][9]
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

BRICKSTORM has executed shell commands using /bin/sh.[5]
Enterprise T1543 Create or Modify System Process

BRICKSTORM has created a new background session and has spawned a child process of a parent process when it determines it is not running in its intended state.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

BRICKSTORM has leveraged Base64 to encode C2 communications.[9][3]
Enterprise T1005 Data from Local System

BRICKSTORM has commands that allow the actor download files from the compromised host to the C2 server, and to also download specific sections of a file.[1]
Enterprise T1678 Delay Execution

BRICKSTORM has embedded delayed-start logic that attempts to circumvent detection for long-term persistence.[2][9] BRICKSTORM has been observed configured with a "delay" timer built-in that waited for a hard-coded date months in the future before beginning to beacon to the configured C2 domain.[4]
Enterprise T1140 Deobfuscate/Decode Files or Information

BRICKSTORM has decoded its encrypted C2 traffic prior to execution.[7][1][2][3][4] BRICKSTORM also has the ability to decode its obfuscated payload before execution.[2]
Enterprise T1568 Dynamic Resolution

BRICKSTORM has utilized DNS services sslip.io and nip.io to resolve C2 IP addresses.[4]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

BRICKSTORM has communicated with C2 infrastructure via TLS.[7][1][2][3]
Enterprise T1041 Exfiltration Over C2 Channel

BRICKSTORM has uploaded files from the victim system to C2 servers.[7][1][2][5][9][3][4]
Enterprise T1083 File and Directory Discovery

BRICKSTORM has identified specific files and directories within targeted hosts and systems for modification, execution, collection and exfiltration.[7][1][2][5][9][4]
Enterprise T1574 .007 Hijack Execution Flow: Path Interception by PATH Environment Variable

BRICKSTORM has checked hard-coded paths of /etc/sysconfig/ or /etc/sysconfig/network prior to execution and loading file contents from that path.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

BRICKSTORM has the ability to delete files and directories.[1] BRICKSTORM also has deleted installer files after execution to reduce detection.[2][5][9]
.010 Indicator Removal: Relocate Malware

BRICKSTORM has copied itself to the usr/sbin/ folder.[1]
Enterprise T1105 Ingress Tool Transfer

BRICKSTORM has the ability to download files from the Adversaries C2 server to the compromised system.[1][5][9][4]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

BRICKSTORM has appeared to resemble legitimate processes to include the vCenter process vami-http.[7][5][4] BRICKSTORM has also leveraged legitimate names of VMware vSphere platform such as vmsrc or vmware-sphere.[1]
Enterprise T1027 Obfuscated Files or Information

BRICKSTORM has utilized Go libraries to include Garble to obfuscate code.[2][4]
.013 Encrypted/Encoded File

BRICKSTORM has utilized XOR cipher encryption to hide key strings within their code, to include IPv4 addresses of public DNS-over-HTTPS (DOH) servers.[1]
Enterprise T1690 Prevent Command History Logging

BRICKSTORM has impaired command logging through the use of dev/null which prevents generating output from the command and does not wait for input.[1]
Enterprise T1057 Process Discovery

BRICKSTORM has the ability to check if it is running as an active child process through the detection of a specific environment variable.[1]
Enterprise T1572 Protocol Tunneling

BRICKSTORM has utilized a SOCKS proxy to tunnel access within the victim network and exfiltrate files from internal shares, code repositories, and other endpoints.[7][1][2][5][9][3][4] BRICKSTORM has also leveraged Yamux for combining multiple concurrent logical streams over a single a socket.[1][9][3]
Enterprise T1090 .001 Proxy: Internal Proxy

BRICKSTORM has leveraged SOCKS Proxy to pivot into victim networks in attempts to resemble legitimate administrative traffic.[7][1][2][5][9][4]
Enterprise T1489 Service Stop

BRICKSTORM has terminated an existing process to ensure that its own new process can execute.[1]
Enterprise T1102 Web Service

BRICKSTORM has leveraged DNS web services to resolve C2 IP addresses including sslip.io and nip.io.[4] BRICKSTORM has also utilized Cloudflare Workers for C2 communications.[4]

References

  1. DHS/CISA. (2026, February 11). AR25-338A: BRICKSTORM Backdoor. Retrieved April 16, 2026.
  2. Huseyin Can Yuceel. (2025, October 1). BRICKSTORM Malware: UNC5221 Targets Tech and Legal Sectors in the United States. Retrieved April 16, 2026.
  3. Resecurity Threat Intelligence & Incident Analysis. (2025, October 22). F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using BRICKSTORM Backdoor. Retrieved April 16, 2026.
  4. Sarah Yoder, John Wolfram, Ashley Pearson, Doug Bienstock, Josh Madeley, Josh Murchie, Brad Slaybaugh, Matt Lin, Geoff Carstairs, Austin Larsen. (2025, September 24). Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors. Retrieved April 16, 2026.
  5. Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Crew, Billy Wong, Tyler McLellan. (2024, April 4). Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies. Retrieved April 16, 2026.
  1. Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.
  2. CrowdStrike. (2025, December 4). Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary. Retrieved April 16, 2026.
  3. Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.
  4. NVISO Incident Response. (2025, April 1). BRICKSTORM Backdoor Analysis: A Persistent Espionage Threat to European Industries. Retrieved April 16, 2026.
  5. Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson Jr., Rich Reece. (2026, February 17). From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day. Retrieved April 16, 2026.