Chinese hackers have breached European networks with a sophisticated backdoor malware called Brickstorm. The nasty little bug, linked to threat group UNC5221, has been silently slithering through critical infrastructure since at least 2022. Not your typical smash-and-grab operation. These folks are after something bigger than money—they want trade secrets, research data, and strategic plans. Classic espionage, digital style.

Brickstorm started life targeting Linux vCenter servers but got ambitious. Now it’s infecting Windows environments too. The malware’s favorite entry point? Vulnerable network appliances like Ivanti Connect Secure VPNs. Once inside, it digs in deep. Scheduled tasks for persistence. Multiple system locations. Years of undetected access in some cases. Scary stuff.

The technical chops on display are impressive, if you’re into digital break-ins. Written in Go, Brickstorm offers file browsing, transfers, and network tunneling via an elegant HTTP API. It’s basically an invisible remote control for your entire network. The Windows version particularly skips direct command execution—smart move to avoid detection. The malware supports TCP, UDP, and ICMP relaying that enables attackers to move laterally through compromised networks.

What really sets Brickstorm apart is its stealth game. Three nested TLS layers? Check. DNS-over-HTTPS to dodge monitoring? You bet. Communication through legitimate cloud services like Cloudflare Workers and Heroku? Absolutely. It’s practically wearing an invisibility cloak. The attackers further conceal their infrastructure by using DNS over HTTPS through trusted providers like Cloudflare and Google.

European cybersecurity firm NVISO deserves credit for spotting the Windows variants, while Mandiant caught the Linux version. Both confirm this is consistent with China’s broader strategy of strengthening economic power through industrial theft. Pretty brazen approach.

For affected organizations, the damage is likely extensive. The malware facilitates lateral movement using protocols like RDP and SMB, often paired with stolen credentials.

And once these attackers are in, they don’t leave quickly. They’re patient. Methodical. Just sitting there, quietly exfiltrating everything of value. Your intellectual property walking out the digital door, one encrypted packet at a time.