S9015: BRICKSTORM
BRICKSTORM is a cross-platform backdoor with variants written in Go and Rust that facilitates command and control, the ingress transfer of other malware, and the exfiltration of data.[1][2][3][4] BRICKSTORM has also been created from a .NET application using ahead-of-time (AOT) compilation to blend in within victim environments.[1] BRICKSTORM was first observed in April 2024.[5] BRICKSTORM has previously been leveraged by People's Republic of China (PRC) state-nexus actors identified as UNC6201, UNC5221, WARP PANDA, PunyToad, and SYLVANITE.[6][7][1][8][9][10][3][4]
Analyst context for executives and security teams
BRICKSTORM matters because it is described by ATT&CK as a cross-platform backdoor for command and control, malware transfer, and data exfiltration across ESXi, Linux, network devices, and Windows. For leaders, the key issue is not one malware name; it is whether the organization can see and contain stealthy backdoor activity on infrastructure that is often less monitored than endpoints, especially virtualization hosts and network appliances.
Executive priority
Treat BRICKSTORM as a coverage validation case for resilience and incident readiness. Ask whether SOC telemetry includes ESXi, Linux servers, network devices, DNS, web egress, and service/process changes—not just Windows EDR. Because ATT&CK links this malware to collection, C2, ingress transfer, exfiltration, persistence, stealth, and service stopping behaviors, it should influence budget and audit discussions around logging completeness, egress control, privileged administration, appliance monitoring, and evidence needed during incident response.
Technical view
ATT&CK provides no official detection text for S9015, so defenders should build coverage from the relationship set. Validate detections for local data and file discovery, process discovery, Unix shell execution, creation or modification of system processes, service stopping, file deletion, malware relocation, PATH-based execution interception, and delayed execution. Network detection should focus on C2 over web protocols, DNS, web services, dynamic resolution, protocol tunneling, internal proxying, standard encoding, and asymmetric cryptography. Because BRICKSTORM is described as Go/Rust cross-platform malware and may use .NET AOT compilation to blend in, avoid relying only on static signatures or file type expectations.
Likely telemetry
- Endpoint and server process execution telemetry across Linux, Windows, and ESXi where available
- Shell command history and administrative command logging on Unix-like systems and network devices
- File creation, deletion, relocation, permission, and path-change telemetry, especially in trusted or service directories
- Service, daemon, system process, startup, and configuration change events
- DNS query and response logs, including unusual domains, dynamic resolution patterns, and high-volume or encoded-looking traffic
Detection direction
- Start with behavior chaining rather than single indicators: discovery followed by tool transfer, new or modified services, unusual egress, file cleanup, or data movement is higher value than any event alone.
- Baseline legitimate DNS, web service, and proxy behavior before alerting on web/DNS C2 patterns; these techniques deliberately blend into common traffic and can create false positives without asset and destination context.
- Prioritize visibility gaps on ESXi, Linux infrastructure, and network devices, where endpoint-style telemetry may be missing or inconsistent.
- Tune for masquerading and trusted-location abuse by comparing file names, locations, owners, hashes, and execution context against known-good baselines.
- Correlate encoded or encrypted traffic indicators with host-side process lineage and file activity, since encrypted C2 may not be inspectable directly.
Mitigation priorities
- Close telemetry gaps first: ensure critical ESXi, Linux, Windows, and network device logs are collected, retained, and searchable for IR.
- Restrict and monitor outbound DNS and web traffic from servers, appliances, and virtualization infrastructure; use approved resolvers and controlled egress paths where feasible.
- Harden privileged administration and service creation paths with least privilege, change control, and alerting on unauthorized service or daemon modifications.
- Use file integrity monitoring and configuration baselines for trusted directories, service locations, PATH settings, and appliance configurations.
- Segment infrastructure management planes and limit which systems can initiate outbound connections or proxy traffic internally.
Analyst notes and limits
The strongest decision value in this object comes from the breadth of platforms and the large set of related ATT&CK techniques. BRICKSTORM should be used as a practical test of whether detection engineering, cloud/infrastructure security, and incident response teams can investigate stealthy C2 and exfiltration behaviors outside normal Windows endpoint coverage.
MITRE does not provide official detection guidance for this object, and tactics are not specified directly on the malware object. This take is derived from the official description, platforms, external references, and stated technique relationships only. Local validation is required to determine exposure, telemetry availability, control effectiveness, and whether any observed activity is related to BRICKSTORM.
BRICKSTORM
BRICKSTORM is a cross-platform backdoor with variants written in Go and Rust that facilitates command and control, the ingress transfer of other malware, and the exfiltration of data.[1][2][3][4] BRICKSTORM has also been created from a .NET application using ahead-of-time (AOT) compilation to blend in within victim environments.[1] BRICKSTORM was first observed in April 2024.[5] BRICKSTORM has previously been leveraged by People's Republic of China (PRC) state-nexus actors identified as UNC6201, UNC5221, WARP PANDA, PunyToad, and SYLVANITE.[6][7][1][8][9][10][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027 | Obfuscated Files or Information | BRICKSTORM has utilized Go libraries to include Garble to obfuscate code.CitationPicus Security BRICKSTORM UNC5221 October 2025CitationGoogle BRICKSTORM September 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | BRICKSTORM has uploaded files from the victim system to C2 servers.CitationCrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationPicus Security BRICKSTORM UNC5221 October 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationNVISO BRICKSTORM April 2025CitationResecurity UNC5221 BRICKSTORM F5 Big-IP October 2025CitationGoogle BRICKSTORM September 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | BRICKSTORM has appeared to resemble legitimate processes to include the vCenter process `vami-http`.CitationCrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationGoogle BRICKSTORM September 2025 BRICKSTORM has also leveraged legitimate names of VMware vSphere platform such as `vmsrc` or `vmware-sphere`.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BRICKSTORM has communicated to hardcoded C2 through WebSockets (WSS) to include domains associated with Cloudflare Workers.CitationCrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationPicus Security BRICKSTORM UNC5221 October 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationNVISO BRICKSTORM April 2025CitationGoogle BRICKSTORM September 2025 BRICKSTORM has also leveraged Gorilla mux library to serve its HTTP API calls.CitationNVISO BRICKSTORM April 2025 |
| Enterprise | T1070.010 | Relocate Malware Sub-technique | BRICKSTORM has copied itself to the `usr/sbin/` folder.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 |
| Enterprise | T1057 | Process Discovery | BRICKSTORM has the ability to check if it is running as an active child process through the detection of a specific environment variable.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 |
| Enterprise | T1574.007 | Path Interception by PATH Environment Variable Sub-technique | BRICKSTORM has checked hard-coded paths of `/etc/sysconfig/` or `/etc/sysconfig/network` prior to execution and loading file contents from that path.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | BRICKSTORM has utilized XOR cipher encryption to hide key strings within their code, to include IPv4 addresses of public DNS-over-HTTPS (DOH) servers.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 |
| Enterprise | T1690 | Prevent Command History Logging | BRICKSTORM has impaired command logging through the use of `dev/null` which prevents generating output from the command and does not wait for input.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | BRICKSTORM has communicated with C2 infrastructure via TLS.CitationCrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationPicus Security BRICKSTORM UNC5221 October 2025CitationResecurity UNC5221 BRICKSTORM F5 Big-IP October 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BRICKSTORM has decoded its encrypted C2 traffic prior to execution.CitationCrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationPicus Security BRICKSTORM UNC5221 October 2025CitationResecurity UNC5221 BRICKSTORM F5 Big-IP October 2025CitationGoogle BRICKSTORM September 2025 BRICKSTORM also has the ability to decode its obfuscated payload before execution.CitationPicus Security BRICKSTORM UNC5221 October 2025 |
| Enterprise | T1543 | Create or Modify System Process | BRICKSTORM has created a new background session and has spawned a child process of a parent process when it determines it is not running in its intended state.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 |
| Enterprise | T1572 | Protocol Tunneling | BRICKSTORM has utilized a SOCKS proxy to tunnel access within the victim network and exfiltrate files from internal shares, code repositories, and other endpoints.CitationCrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationPicus Security BRICKSTORM UNC5221 October 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationNVISO BRICKSTORM April 2025CitationResecurity UNC5221 BRICKSTORM F5 Big-IP October 2025CitationGoogle BRICKSTORM September 2025 BRICKSTORM has also leveraged Yamux for combining multiple concurrent logical streams over a single a socket.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationNVISO BRICKSTORM April 2025CitationResecurity UNC5221 BRICKSTORM F5 Big-IP October 2025 |
| Enterprise | T1070.004 | File Deletion Sub-technique | BRICKSTORM has the ability to delete files and directories.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 BRICKSTORM also has deleted installer files after execution to reduce detection.CitationPicus Security BRICKSTORM UNC5221 October 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationNVISO BRICKSTORM April 2025 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | BRICKSTORM has leveraged Base64 to encode C2 communications.CitationNVISO BRICKSTORM April 2025CitationResecurity UNC5221 BRICKSTORM F5 Big-IP October 2025 |
| Enterprise | T1678 | Delay Execution | BRICKSTORM has embedded delayed-start logic that attempts to circumvent detection for long-term persistence.CitationPicus Security BRICKSTORM UNC5221 October 2025CitationNVISO BRICKSTORM April 2025 BRICKSTORM has been observed configured with a “delay” timer built-in that waited for a hard-coded date months in the future before beginning to beacon to the configured C2 domain.CitationGoogle BRICKSTORM September 2025 |
| Enterprise | T1568 | Dynamic Resolution | BRICKSTORM has utilized DNS services sslip.io and nip.io to resolve C2 IP addresses.CitationGoogle BRICKSTORM September 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | BRICKSTORM has the ability to download files from the Adversaries C2 server to the compromised system.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationNVISO BRICKSTORM April 2025CitationGoogle BRICKSTORM September 2025 |
| Enterprise | T1102 | Web Service | BRICKSTORM has leveraged DNS web services to resolve C2 IP addresses including sslip.io and nip.io.CitationGoogle BRICKSTORM September 2025 BRICKSTORM has also utilized Cloudflare Workers for C2 communications.CitationGoogle BRICKSTORM September 2025 |
| Enterprise | T1083 | File and Directory Discovery | BRICKSTORM has identified specific files and directories within targeted hosts and systems for modification, execution, collection and exfiltration.CitationCrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationPicus Security BRICKSTORM UNC5221 October 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationNVISO BRICKSTORM April 2025CitationGoogle BRICKSTORM September 2025 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | BRICKSTORM has leveraged SOCKS Proxy to pivot into victim networks in attempts to resemble legitimate administrative traffic.CitationCrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationPicus Security BRICKSTORM UNC5221 October 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationNVISO BRICKSTORM April 2025CitationGoogle BRICKSTORM September 2025 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | BRICKSTORM has executed shell commands using `/bin/sh`.CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024 |
| Enterprise | T1071.004 | DNS Sub-technique | BRICKSTORM has used DNS over HTTPS to resolve C2 infrastructure and obscure DNS traffic from inspection.CitationCrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026CitationPicus Security BRICKSTORM UNC5221 October 2025CitationGoogle UNC5221 BRICKSTORM SPAWNCHIMERA April 2024CitationNVISO BRICKSTORM April 2025 |
| Enterprise | T1489 | Service Stop | BRICKSTORM has terminated an existing process to ensure that its own new process can execute.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 |
| Enterprise | T1005 | Data from Local System | BRICKSTORM has commands that allow the actor download files from the compromised host to the C2 server, and to also download specific sections of a file.CitationCISA BRICKSTORM UNC5221 AR25-338A February 2026 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f0c46d22e753… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA BRICKSTORM UNC5221 AR25-338A February 2026
DHS/CISA. (2026, February 11). AR25-338A: BRICKSTORM Backdoor. Retrieved April 16, 2026.
Open source URL -
[2]
Picus Security BRICKSTORM UNC5221 October 2025
Huseyin Can Yuceel. (2025, October 1). BRICKSTORM Malware: UNC5221 Targets Tech and Legal Sectors in the United States. Retrieved April 16, 2026.
Open source URL -
[3]
Resecurity UNC5221 BRICKSTORM F5 Big-IP October 2025
Resecurity Threat Intelligence & Incident Analysis. (2025, October 22). F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using BRICKSTORM Backdoor. Retrieved April 16, 2026.
Open source URL -
[4]
Google BRICKSTORM September 2025
Sarah Yoder, John Wolfram, Ashley Pearson, Doug Bienstock, Josh Madeley, Josh Murchie, Brad Slaybaugh, Matt Lin, Geoff Carstairs, Austin Larsen. (2025, September 24). Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors. Retrieved April 16, 2026.
Open source URL -
[5]
Google UNC5221 BRICKSTORM SPAWNCHIMERA April 2024
Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Crew, Billy Wong, Tyler McLellan. (2024, April 4). Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies. Retrieved April 16, 2026.
Open source URL -
[6]
Cloudflare 2026 Threat Report New Threat Actors March 2026
Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.
Open source URL -
[7]
CrowdStrike BRICKSTORM WARP PANDA UNC5221 December 2025
CrowdStrike. (2025, December 4). Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary. Retrieved April 16, 2026.
Open source URL -
[8]
Dragos SYLVANITE MuddyWater Electrum March 2026
Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.
Open source URL -
[9]
NVISO BRICKSTORM April 2025
NVISO Incident Response. (2025, April 1). BRICKSTORM Backdoor Analysis: A Persistent Espionage Threat to European Industries. Retrieved April 16, 2026.
Open source URL -
[10]
Google BRICKSTORM GRIMBOLT UNC5221 UNC6201 February 2026
Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson Jr., Rich Reece. (2026, February 17). From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day. Retrieved April 16, 2026.
Open source URL -
[11]
mitre-attack S9015Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.