Image by Boitumelo, from Unsplash
BRICKSTORM Malware Hits U.S. Tech, Law, and SaaS Firms
Reading time: 2 min
Last Updated: Sep 27, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Hackers are using BRICKSTORM malware to infiltrate U.S. companies, staying hidden for over a year, stealing sensitive emails and data.
In a rush? Here are the quick facts:
- Hackers remained undetected in networks for over 393 days.
- Targets include U.S. law firms, SaaS, outsourcing, and tech companies.
- Malware hides in VMware servers and network appliances.
A stealthy cyber campaign called BRICKSTORM is targeting major U.S. industries, according to new research by Google’s Threat Intelligence Group (GTIG) and Mandiant Consulting. Since March 2024, the malware has targeted law firms, tech companies, Software-as-a-Service (SaaS) providers and business outsourcing firms.
Researchers say the backdoor is designed for long-term spying. “This, coupled with modifications to the BRICKSTORM backdoor, has enabled them to remain undetected in victim environments for 393 days, on average,” Google noted.
The attacks are linked to UNC5221, a hacking group suspected of ties to China. The group uses zero-day vulnerabilities, which are unpatched security flaws in software systems. BRICKSTORM operates as a hidden threat as it infiltrates devices that standard security software does not monitor, these include VMware servers and other network appliances.
One of the most concerning findings is the hackers’ ability to quietly steal sensitive emails. In many cases, they targeted developers, system administrators, and individuals connected to U.S. national security or trade issues.
GTIG explained that SaaS providers can give attackers the ability to reach their downstream customers. They can also attack tech companies stealing intellectual property and potentially new zero-day exploits.
To help organizations defend themselves, Mandiant has released a scanner tool that can detect signs of BRICKSTORM on Linux and BSD systems. The tool is available on Mandiant’s GitHub page.
Mandiant strongly advised companies to update their security practices, review how they protect critical servers, and adopt a “threat hunting” approach instead of relying only on old detection methods.
“Mandiant strongly encourages organizations to reevaluate their threat model for appliances and conduct hunt exercises for this highly evasive actor,” the team said.
The campaign demonstrates how attackers modify their tactics to bypass standard security measures, which the researchers argue it pushes businesses to take active measures for system protection.
Previous Story
Latest articles 
