UNC5221 BRICKSTORM: China's APT Hides 393 Days Inside Law Firms and SaaS Providers

**UNC5221** is a suspected China-nexus threat cluster tracked by Mandiant (Google) under the "UNC" (unclassified) designation, which indicates assessed but not publicly confirmed state sponsorship. The group shares tactical overlap with Silk Typhoon — the China state-sponsored actor attributed to the 2021 Microsoft Exchange Server exploitation campaign — though Mandiant does not currently classify UNC5221 and Silk Typhoon as the same cluster. Other vendor designations for overlapping activity include Bauxite (Dragos, when activity targets operational technology), and Hydro Kitten in older reporting.

The group's motivation is intelligence collection, not financial gain. UNC5221 does not deploy ransomware, extort victims, or conduct disruptive operations. Its interest in legal services firms centers on attorney-client privileged communications, litigation strategies, and documentation related to U.S. national security and international trade disputes — intelligence that holds significant geopolitical value for a state sponsor. SaaS provider targeting enables downstream access: compromising one SaaS vendor provides UNC5221 with a persistent foothold in dozens of the vendor's enterprise customers simultaneously.

Since at least March 2025, UNC5221 has demonstrated real-time awareness of incident response activity on compromised networks. Mandiant has observed operators deploying new BRICKSTORM variants within hours of investigators beginning active hunting — a capability consistent with continuous monitoring of victim environments and a professionally managed intelligence program. For context on how another China-nexus group conceals C2 traffic through legitimate cloud services, see the [GopherWhisper China APT campaign analysis](/blog/gopherwhisper-china-apt-slack-discord-outlook-c2).

**BRICKSTORM** is a cross-platform backdoor written in Go (and as of February 2026, also in Rust), compiled as an ELF binary targeting Linux and BSD-based network appliances, with Windows variants observed when attackers pivot off compromised perimeter devices. The backdoor provides three core capabilities: SOCKS5 proxy tunneling for internal network traversal, DNS-over-HTTPS C2 resolution to hide communications, and file system browsing via Windows UNC paths.

Command-and-control uses no static domain or IP. BRICKSTORM resolves its C2 address by querying a DNS-over-HTTPS endpoint — using Google Public DNS (8.8.8.8), Cloudflare (1.1.1.1), Quad9, or any of eight alternative DoH resolvers — to look up an IP encoded inside a hostname on sslip.io or nip.io. Both services resolve a hostname directly to the IP address embedded in it, so the actual C2 IP address never appears in plaintext DNS traffic. All resolution traffic is encrypted HTTPS, making it visually identical to normal browsing traffic and transparent to DNS inspection tools.

Once connected, BRICKSTORM opens a SOCKS5 proxy tunnel that UNC5221 operators use to browse internal systems as though sitting on the corporate network — accessing internal web interfaces, code repositories, credential vaults, and Windows file shares, all through the BRICKSTORM channel with no additional tooling visible on the host. The new Rust-based variants documented in the February 2026 CISA update introduce Garble obfuscation, stripping Go compiler metadata and replacing function and variable names with random strings to defeat static analysis. A delay-timer variant has also been observed: it contains a hard-coded future timestamp and does not begin C2 beaconing until that date passes, bypassing sandboxes that run samples for only minutes before concluding no malicious behavior was observed.

UNC5221 operates a disciplined, seven-stage intrusion chain that consistently begins on perimeter appliances and ends with long-duration persistent access across an organization's entire digital environment. Each stage maps to documented MITRE ATT&CK techniques, though the 393-day average dwell time frequently means only post-exploitation stages are visible to defenders at the time of discovery.

Mandiant Consulting's incident response data confirms four primary target sectors for UNC5221 operations since March 2025. **Legal services** firms represent the highest-priority target class: UNC5221 specifically seeks attorney-client communications, merger and acquisition due diligence documentation, and litigation files related to U.S. national security and international trade disputes. The value of this data to a state intelligence program is direct — the legal sector processes the most sensitive business-government communications outside classified government systems.

**SaaS providers** are targeted for supply chain access. A single SaaS provider compromise delivers persistent access to dozens of enterprise customers through trusted identity provider relationships, allowing UNC5221 to move laterally from the vendor environment into downstream organizations without exploiting them directly. **Business process outsourcers** are targeted for similar reasons: BPOs maintain administrative access to client environments that serve as lateral movement bridges.

**Technology companies** are targeted for intellectual property. UNC5221's interest in tech firms centers on zero-day research, source code for widely deployed products, and cryptographic key material. Mandiant assessed that stolen vulnerability research could enable UNC5221 to develop its own zero-day exploits for future campaigns — a self-reinforcing capability loop that makes technology sector victims of particular long-term concern.

Geographic focus is the United States. No confirmed European, Asian, or other geographic victims have been attributed to UNC5221 in open source reporting as of May 2026, though absence of attribution does not indicate absence of activity.

UNC5221 deliberately avoids reusing infrastructure across victims. Each BRICKSTORM deployment receives a unique C2 endpoint — a Cloudflare Workers subdomain or Heroku application — and unique binary samples, making atomic indicator hunting ineffective as the primary defensive control. The indicators below represent confirmed samples from public reporting; assume no two live deployments share these characteristics.

BRICKSTORM uses DNS-over-HTTPS resolvers as C2 resolution infrastructure, querying DoH endpoints at Google Public DNS (8.8.8.8, 8.8.4.4), Cloudflare (1.1.1.1, 1.0.0.1), Quad9 (9.9.9.9, 149.112.112.112), and alternates. It resolves C2 addresses via sslip.io or nip.io hostname encoding. Any outbound traffic from appliances to Cloudflare Workers hostnames or Heroku application domains that is not initiated by a known administrative action should be treated as a high-confidence BRICKSTORM indicator.

The SLAYSTYLE web shell targeting vCenter's Apache Tomcat component and the BRICKSTEAL Java servlet filter targeting the /web/saml2/sso/* URI are the two most reliable forensic indicators of UNC5221 on vCenter infrastructure. Both are detectable via YARA rules published in the CISA Malware Analysis Report AR25-338A (updated February 11, 2026). The Mandiant BRICKSTORM scanner, available on GitHub, runs against live appliance filesystems without requiring YARA installation. For context on how APT actors use zero-click techniques to move into network infrastructure, see the [APT28 Windows Shell zero-click analysis](/blog/cve-2026-32202-windows-shell-apt28-ntlmv2-zero-click).

Standard signature-based detection fails against UNC5221 by design — no shared IOCs across victims, EDR-free appliance targeting, in-memory persistence, and DoH C2 obfuscation all defeat conventional controls simultaneously. Detection requires behavioral hunting across four data sources: vSphere audit logs, Microsoft 365 Unified Audit Log, DNS and firewall telemetry, and Windows User Access Logging. Mandiant's published nine-priority hunting checklist is the authoritative reference; the six highest-yield hunts for most organizations are listed below.

UNC5221 BRICKSTORM represents the highest-sophistication persistent access threat to U.S. organizations in sectors that hold intelligence value for a state sponsor. Three factors make this group categorically different from the financially motivated ransomware actors that dominate most threat briefings.

First, BRICKSTORM operates exclusively in the EDR blind spot. Network appliances, VPN concentrators, and VMware hypervisors are the entry and persistence layer — environments where behavioral monitoring agents are rarely deployed. By the time an attacker with a financial motive would have triggered a ransomware alert, UNC5221 has already been inside the environment for months harvesting data silently.

Second, the 393-day average dwell time means historical logs do not cover the initial breach. Most organizations retain firewall and access logs for 30 to 90 days. A breach that began 13 months ago is forensically invisible using conventional log analysis. Response planning must accept that initial access reconstruction is unlikely and focus on current-state containment and forward-looking monitoring rather than root cause analysis.

Third, the supply chain dimension amplifies risk beyond direct victims. If your SaaS provider, legal counsel, or outsourced business process vendor is a UNC5221 target, that relationship creates a lateral movement path into your environment without you being directly targeted. Third-party access risk assessments should explicitly include BRICKSTORM scanning and vSphere hardening posture as evaluation criteria.

UNC5221 BRICKSTORM backdoor is the most patient APT persistent access threat operating against U.S. organizations right now. Three takeaways: BRICKSTORM lives on EDR-blind appliances and hypervisors where most security stacks have zero visibility; DNS-over-HTTPS C2 concealment means standard DNS monitoring misses active beaconing entirely; and the 393-day average dwell time guarantees historical logs predate the initial breach. Before this week ends, enable VMware vSphere lockdown mode, forward VPXD logs to your SIEM with extended retention, and run the Mandiant BRICKSTORM scanner on every internet-facing appliance you operate.