Date: 10/09/2025
Severity: Critical
Summary
We are tracking BRICKSTORM malware, used to maintain long-term access to U.S. organizations. Since March 2025, Team Consulting has responded to intrusions in sectors like legal, SaaS, BPOs, and tech. The targets likely support zero-day development and serve as pivot points to broader victims. We attribute this activity to UNC5221 and related China-nexus clusters with advanced capabilities. Their operations exploit zero-days and evade detection by targeting network appliances lacking EDR support. BRICKSTORM modifications and stealthy techniques have allowed access to persist for an average of 393 days.
Indicators of Compromise (IOC) List
Hash : | 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
123e80a34508c4dede7cc70e76931fcc
84b573305b732a8372a082c057242953
b1b7aaa5bd4408a4d3003a9fabcdd041
130fdc32de36a362e65c7138b560eb8d8f6ae599
b8eed63ab9cbdca494f26a6f66bfd4a0a693b3f0
f1f64ed1ee74d3b84f338a612e59c81997d6f70e
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | md5hash IN ("b1b7aaa5bd4408a4d3003a9fabcdd041","123e80a34508c4dede7cc70e76931fcc","84b573305b732a8372a082c057242953")
|
|---|
Detection Query 2 : | sha1hash IN ("130fdc32de36a362e65c7138b560eb8d8f6ae599","f1f64ed1ee74d3b84f338a612e59c81997d6f70e","b8eed63ab9cbdca494f26a6f66bfd4a0a693b3f0")
|
|---|
Detection Query 3 : | sha256hash IN ("2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df","90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035","aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878")
|
Reference:
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
https://www.jdsupra.com/legalnews/brickstorm-china-linked-hackers-lurk-5228266/