The Defender’s Advantage Podcast: UNC5221 and the BRICKSTORM Campaign
Date: October 22, 2025
Host: Luke McNamara, Google Threat Intelligence Group (Mandiant)
Guests:
- Sarah Yoder, Manager, Mandiant Consulting
- Ashley Pearson, Senior Analyst, Advanced Practices Team (Intel)
Episode Overview
This episode takes a deep dive into the recent activity attributed to the threat actor group tracked as UNC5221. Luke McNamara interviews Sarah Yoder and Ashley Pearson, who co-authored a recent blog post detailing the group’s campaign targeting edge devices with the customized "Brickstorm" malware. The conversation explores UNC5221’s historical behavior, technical tradecraft, their sophisticated stealth techniques, and provides key defensive takeaways for organizations.
Key Discussion Points and Insights
1. Background on UNC5221
- Longstanding Espionage Activity:
- UNC5221 is a PRC (People’s Republic of China) associated espionage group tracked by Mandiant since 2023.
- Previously linked to exploits of Avanti zero-day vulnerabilities.
- “They're a PRC Nexus espionage group that we've been tracking since at least 2023.” (Ashley, 01:59)
- Possible Overlap with Other Groups:
- Some public reports conflate with Silk Typhoon but Mandiant has not confirmed this overlap.
- “We mentioned in the blog that it's not tied to Silk Typhoon at this time, but...there's bound to be overlaps...” (Ashley, 02:47)
- Some public reports conflate with Silk Typhoon but Mandiant has not confirmed this overlap.
- Focus on Sophisticated Tradecraft and Stealth:
- Emphasis on zero-day and end-day exploitation, especially targeting edge devices.
- Victim selection often aims at organizations granting broader access, e.g., law firms, SaaS providers, and entities with downstream customers.
- “They do seem to pay attention to what types of victims may garner them a pretty wide net in terms of downstream targeting.” (Ashley, 03:43)
2. The BRICKSTORM Campaign
- Origin and Discovery:
- Brickstorm malware was discovered during an investigation of an UNC5221 case involving a compromised VMware vCenter server.
- Further hunting with custom YARA rules revealed additional samples on other edge devices.
- “We identified a Brickstorm backdoor that was placed on a VMware V Center...then found multiple additional samples on other edge device type systems.” (Sarah, 05:36)
- Malware Capabilities:
- Brickstorm is a golang-based tunneler acting as a backdoor, used for command execution, file uploads/downloads, and proxying traffic.
- Used primarily for exfiltration and stealthy command and control (C2) within the environment.
- “They primarily focus on living off the land, but where needed, they will deploy malware such as Brickstorm to complete their mission.” (Sarah, 06:51)
- Minimalist Malware Use:
- Group relies heavily on "living off the land" tactics, using malware sparingly for specific needs.
- Extensive use of proxying through multiple systems to mask exfiltration origins.
3. Unprecedented Stealth Techniques
- Extended Dwell Times:
- Average dwell time of 361 days observed in some cases, making detection and incident response even more challenging.
- “I think it was like 361 days, was the average dwell time over a year...” (Luke, 07:22)
- Average dwell time of 361 days observed in some cases, making detection and incident response even more challenging.
- Evolution of Obfuscation:
- Post-initial disclosure, Brickstorm variants became heavily obfuscated to evade detection.
- “They've started implementing like very heavy obfuscation in the code to avoid detection.” (Ashley, 08:33)
- Post-initial disclosure, Brickstorm variants became heavily obfuscated to evade detection.
- Customized Per-Target Variants:
- Each malware sample is unique, with per-system obfuscation, configuration, and sometimes even functionality changes.
- C2 infrastructure is individualized down to unique domains and subdomains, reducing cross-sample overlap.
- “Each sample...has its own obfuscation, it has its own C2 config...So each one is very much unique...” (Sarah, 09:24)
- “Even the samples contained within Org A are different between each other...There’s no reuse of any of the C2 domains...” (Ashley, 09:58)
- Difficult Hunting and Detection:
- High infrastructure turnover and obfuscation complicate hunting.
- Network-based patterns, like DNS-over-HTTP, proved useful—but only with robust long-term network logging in place.
- “It's very difficult on the IR side to hunt for this type of activity...network logs have been very important for finding this.” (Sarah, 11:04, 15:18)
4. Incident Response Challenges
- Data Retention Issues:
- Extended dwell times often outlast available log retention (commonly 3-6 months), limiting investigators’ ability to reconstruct the full intrusion chain.
- “Not all organizations have log retention going back that far...and so all of those systems have been decommissioned.” (Sarah, 13:33)
- Extended dwell times often outlast available log retention (commonly 3-6 months), limiting investigators’ ability to reconstruct the full intrusion chain.
- Initial Vector Often Unidentified:
- In most cases, the exact initial access vector for Brickstorm deployment could not be confirmed due to missing historical data.
- “In these Brickstorm specific cases, we have not identified the initial vector, at least to my knowledge...” (Sarah, 14:30)
- In most cases, the exact initial access vector for Brickstorm deployment could not be confirmed due to missing historical data.
- Asset Inventory as a Foundation:
- Maintained asset inventory crucial for mapping possible attacker paths and effective network defense.
- “The asset inventory, it's useful for a multitude of reasons and it's useful for figuring out an attacker's path...” (Ashley, 17:06)
- Maintained asset inventory crucial for mapping possible attacker paths and effective network defense.
5. Targeting Patterns and Impact
- Focus on High-Value, Multipoint Organizations:
- Targeting of SaaS providers and law firms is strategic for downstream access to their customers’ environments and data.
- “...they primarily were using that to then hit a multitude of downstream customers.” (Sarah, 20:46)
- Targeting of SaaS providers and law firms is strategic for downstream access to their customers’ environments and data.
- Interest in Sensitive Data:
- Primary targets include legal, trade policy, and source code repositories—valuable for economic and strategic intelligence gathering.
6. Defensive Guidance and Takeaways
- EDR Blind Spots:
- Many edge devices (VMware vCenter, firewalls, appliances) lack endpoint detection and response (EDR), making them attractive targets.
- “We're seeing a shift of targeting to these systems that typically don't have EDR on them.” (Sarah, 22:32)
- Many edge devices (VMware vCenter, firewalls, appliances) lack endpoint detection and response (EDR), making them attractive targets.
- Continuous Cyber Hygiene:
- Asset inventory and business impact analysis are essential. Identify and protect critical and high-value data and systems.
- “Cyber hygiene is important and continual cyber hygiene is important to that asset inventory.” (Ashley, 23:26)
- Asset inventory and business impact analysis are essential. Identify and protect critical and high-value data and systems.
- Moving Beyond IOCs:
- Static detection based purely on indicators of compromise (IOCs) such as IPs or hashes is insufficient. Emphasize behavioral detection and holistic visibility.
- “Static detection of atomic IOCs...that can't be...how we detect this activity. This intrusion alone has shown hashes and IPs and domains are really not going to be useful even in a singular intrusion, let alone across multitudes of intrusions.” (Ashley, 23:44)
- Static detection based purely on indicators of compromise (IOCs) such as IPs or hashes is insufficient. Emphasize behavioral detection and holistic visibility.
Notable Quotes & Memorable Moments
-
Ashley on Per-Target Customization:
- “Each sample...is different from each other. There's no reuse of any of the C2 domains...That third subdomain is also unique across each of the variants that we've seen. So they haven't even reused that level...” (09:58)
-
Sarah on the Power of Asset Inventory:
- “Having a fully fleshed out asset inventory...not even just useful for figuring out what points of your network barrier are weak...but it also, there's a saying...threat actors know an environment often better than the people who are constantly using that environment every day.” (Ashley, 19:24)
-
Luke on Stealth and Operational Discipline:
- “Compared to some of the other typhoons...there is a level of stealth and operational discipline that I think we saw here...” (21:39)
Key Timestamps
- 01:59 – UNC5221 background and historical trends
- 03:43 – Targeting patterns and use of zero-day exploits
- 05:36 – Discovery of Brickstorm and edge device focus
- 06:51 – Actor’s “living off the land” approach
- 08:33 – Malware obfuscation and per-target customization
- 09:58 – Individualized C2 infrastructure and detection challenges
- 13:33 – Log retention and incident response hurdles
- 17:06 – Asset inventory and the "iceberg model"
- 20:46 – SaaS and law firm targeting, downstream exploitation
- 22:32 – EDR blind spots and defensive priorities
- 23:26 – Cyber hygiene, asset inventory, and limitations of IOCs
Final Takeaways
- UNC5221 exemplifies the modern, stealth-focused PRC APT with highly customized malware and shifting TTPs targeting edge devices.
- Organizations must proactively address EDR blind spots, enhance asset visibility, and prioritize behavioral and network-based threat detection.
- Cyber hygiene and a comprehensive, continuously updated asset inventory form the backbone of a resilient defense against highly evasive espionage actors.
For more detail, readers are encouraged to refer to the original blog post by Sarah Yoder and Ashley Pearson (linked in show notes).