{"description": "Enterprise techniques used by BRICKSTORM, ATT&CK software S9015 (v1.0)", "name": "BRICKSTORM (S9015)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has communicated to hardcoded C2 through WebSockets (WSS) to include domains associated with Cloudflare Workers.(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: NVISO BRICKSTORM April 2025)(Citation: Google BRICKSTORM September 2025)  [BRICKSTORM](https://attack.mitre.org/software/S9015) has also leveraged Gorilla mux library to serve its HTTP API calls.(Citation: NVISO BRICKSTORM April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has used DNS over HTTPS to resolve C2 infrastructure and obscure DNS traffic from inspection.(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: NVISO BRICKSTORM April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has executed shell commands using `/bin/sh`.(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has created a new background session and has spawned a child process of a parent process when it determines it is not running in its intended state.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has leveraged Base64 to encode C2 communications.(Citation: NVISO BRICKSTORM April 2025)(Citation: Resecurity UNC5221 BRICKSTORM F5 Big-IP October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has commands that allow the actor download files from the compromised host to the C2 server, and to also download specific sections of a file.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has embedded delayed-start logic that attempts to circumvent detection for long-term persistence.(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: NVISO BRICKSTORM April 2025) [BRICKSTORM](https://attack.mitre.org/software/S9015) has been observed configured with a \u201cdelay\u201d timer built-in that waited for a hard-coded date months in the future before beginning to beacon to the configured C2 domain.(Citation: Google BRICKSTORM September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has decoded its encrypted C2 traffic prior to execution.(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Resecurity UNC5221 BRICKSTORM F5 Big-IP October 2025)(Citation: Google BRICKSTORM September 2025) [BRICKSTORM](https://attack.mitre.org/software/S9015) also has the ability to decode its obfuscated payload before execution.(Citation: Picus Security BRICKSTORM UNC5221 October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has utilized DNS services sslip.io and nip.io to resolve C2 IP addresses.(Citation: Google BRICKSTORM September 2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has communicated with C2 infrastructure via TLS.(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Resecurity UNC5221 BRICKSTORM F5 Big-IP October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has uploaded files from the victim system to C2 servers.(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: NVISO BRICKSTORM April 2025)(Citation: Resecurity UNC5221 BRICKSTORM F5 Big-IP October 2025)(Citation: Google BRICKSTORM September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has identified specific files and directories within targeted hosts and systems for modification, execution, collection and exfiltration.(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: NVISO BRICKSTORM April 2025)(Citation: Google BRICKSTORM September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.007", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has checked hard-coded paths of `/etc/sysconfig/` or `/etc/sysconfig/network` prior to execution and loading file contents from that path.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has the ability to delete files and directories.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026) [BRICKSTORM](https://attack.mitre.org/software/S9015) also has deleted installer files after execution to reduce detection.(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: NVISO BRICKSTORM April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.010", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has copied itself to the `usr/sbin/` folder.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has the ability to download files from the Adversaries C2 server to the compromised system.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: NVISO BRICKSTORM April 2025)(Citation: Google BRICKSTORM September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has appeared to resemble legitimate processes to include the vCenter process `vami-http`.(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: Google BRICKSTORM September 2025) [BRICKSTORM](https://attack.mitre.org/software/S9015) has also leveraged legitimate names of VMware vSphere platform such as `vmsrc` or `vmware-sphere`.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has utilized Go libraries to include Garble to obfuscate code.(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Google BRICKSTORM September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has utilized XOR cipher encryption to hide key strings within their code, to include IPv4 addresses of public DNS-over-HTTPS (DOH) servers.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1690", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has impaired command logging through the use of `dev/null` which prevents generating output from the command and does not wait for input.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has the ability to check if it is running as an active child process through the detection of a specific environment variable.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1572", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has utilized a SOCKS proxy to tunnel access within the victim network and exfiltrate files from internal shares, code repositories, and other endpoints.(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: NVISO BRICKSTORM April 2025)(Citation: Resecurity UNC5221 BRICKSTORM F5 Big-IP October 2025)(Citation: Google BRICKSTORM September 2025)  [BRICKSTORM](https://attack.mitre.org/software/S9015) has also leveraged Yamux for combining multiple concurrent logical streams over a single a socket.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: NVISO BRICKSTORM April 2025)(Citation: Resecurity UNC5221 BRICKSTORM F5 Big-IP October 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has leveraged SOCKS Proxy to pivot into victim networks in attempts to resemble legitimate administrative traffic.(Citation: CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025)(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)(Citation: Picus Security BRICKSTORM UNC5221 October 2025)(Citation: Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024)(Citation: NVISO BRICKSTORM April 2025)(Citation: Google BRICKSTORM September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has terminated an existing process to ensure that its own new process can execute.(Citation: CISA BRICKSTORM UNC5221 AR25-338A February 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "comment": "[BRICKSTORM](https://attack.mitre.org/software/S9015) has leveraged DNS web services to resolve C2 IP addresses including sslip.io and nip.io.(Citation: Google BRICKSTORM September 2025)  [BRICKSTORM](https://attack.mitre.org/software/S9015) has also utilized Cloudflare Workers for C2 communications.(Citation: Google BRICKSTORM September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BRICKSTORM", "color": "#66b1ff"}]}