Chinese Hackers Unleash New BRICKSTORM Malware to Target Windows and Linux Systems

A sophisticated cyber espionage campaign leveraging the newly identified BRICKSTORM malware variants has targeted European strategic industries since at least 2022.

According to NVISO’s technical analysis, these backdoors previously confined to Linux vCenter servers now infect Windows environments, employing multi-tiered encryption, DNS-over-HTTPS (DoH) obfuscation, and cloud-based Command & Control (C2) infrastructure to evade detection.

The malware, linked to China-nexus actor UNC5221, aligns with the People’s Republic of China’s (PRC) strategic objectives to acquire intellectual property and technological secrets for economic advancement.

- Advertisement -

Technical Evolution of BRICKSTORM’s Capabilities

The Windows variants of BRICKSTORM, written in Go 1.13.5, lack direct command execution functionality but instead rely on network tunneling to abuse protocols like RDP and SMB using stolen credentials.

This shift avoids parent-child process monitoring, a common detection mechanism for interactive threats.

The malware’s file management system uses a JSON-based HTTP API to upload, download, and modify files, while its tunneling module supports TCP, UDP, and ICMP relaying for lateral movement.

A critical update in newer samples is the introduction of hardcoded IP addresses (via the IPAddrs configuration parameter), allowing operation in DoH-restricted environments.

Older variants exclusively relied on DoH resolution via providers like Quad9 and Cloudflare, embedding DNS queries within HTTPS POST requests to bypass traditional monitoring.

Multi-Layered Evasion Architecture

BRICKSTORM employs a nested TLS framework to obscure communications:

1. Outer Layer: Legitimate HTTPS connections to serverless platforms (Cloudflare Workers, Heroku) with valid certificates.
2. Middle Layer: A WebSocket upgrade followed by a second TLS handshake, authenticated using a static AuthKey.
3. Inner Layer: A third TLS session multiplexed via HashiCorp’s Yamux library, enabling concurrent C2 activities like file exfiltration and tunneling.

This architecture ensures that even if outer layers are inspected, the innermost TLS-encrypted traffic remains opaque.

Notably, BRICKSTORM’s operators intermittently exposed second-tier infrastructure during maintenance, revealing Vultr-hosted instances (e.g., 64.176.166.79) behind the cloud frontends.

BRICKSTORM’s C2 infrastructure leverages dynamic DNS services like nip.io and certificate transparency loopholes.

For example, the domain ms-azure.azdatastore.workers.dev utilized Cloudflare’s wildcard certificates, while historical Heroku domains (ms-azure.herokuapp.com) were registered as early as 2022.

The malware’s operators maintained persistent access by rotating IPs and updating TLS certificates, such as the 2024–2025 certificate used for nested TLS layers.

Organizations should monitor for the following artifacts associated with BRICKSTORM intrusions:

NVISO recommends layered defenses to counter BRICKSTORM’s evasion tactics:

1. Block DoH Providers: Restrict traffic to public DoH resolvers (e.g., Quad9, Cloudflare) at network boundaries.
2. TLS Inspection: Deploy solutions capable of detecting nested TLS sessions, particularly those with invalid certificates or repeated handshakes.
3. Credential Hygiene: Enforce multi-factor authentication and monitor for anomalous SMB/RDP logins linked to tunneling activity.
4. Threat Hunting: Search for processes spawning from CreatedUACExplorer.exe or connections to the listed domains and IPs.

The PRC’s enduring focus on economic espionage necessitates continuous monitoring of network appliances and serverless cloud traffic, which BRICKSTORM exploits for long-term intrusion.

Collaborative defenses and real-time intelligence sharing remain critical to mitigating such advanced threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!