Belgian cybersecurity company NVISO has discovered a previously unknown variant of malware targeting the Windows operating system. According to experts, this software is linked to the Chinese hacker group UNC5221 and was used in a covert espionage campaign against European industries, as reported by techzine.
Forensic analysis revealed that the malicious backdoor has been active at least since 2022. Its primary goal is to remain undetected as long as possible while providing access to industrial information, including the theft of confidential data.
Unlike ransomware, this type of cyberattack does not make its presence obvious and can remain undetected for an extended period.
“The two newly identified BRICKSTORM executables provide attackers with file manager and network tunneling capabilities. Through these backdoors, adversaries can browse the file system, create/delete arbitrary files and folders as well as tunnel network connections for lateral movement”, according to NVISO. “The BRICKSTORM family resolves its Command & Control servers through DoH (DNS over HTTPS), hindering most network monitoring solutions.”
NVISO experts noted that the BRICKSTORM malware is now found not only in Linux environments, as previously thought, but also in Windows, broadening the scope of the threat. Earlier, only Mandiant had reported on the Linux variant of the malware.
NVISO's investigation further confirms that Chinese cyber-espionage is part of long-term, technically sophisticated campaigns targeting strategic sectors in Europe.
