Summary6 min read

The Defender’s Advantage Podcast: UNC5221 and the BRICKSTORM Campaign

Date: October 22, 2025
Host: Luke McNamara, Google Threat Intelligence Group (Mandiant)
Guests:

Sarah Yoder, Manager, Mandiant Consulting
Ashley Pearson, Senior Analyst, Advanced Practices Team (Intel)

Episode Overview

This episode takes a deep dive into the recent activity attributed to the threat actor group tracked as UNC5221. Luke McNamara interviews Sarah Yoder and Ashley Pearson, who co-authored a recent blog post detailing the group’s campaign targeting edge devices with the customized "Brickstorm" malware. The conversation explores UNC5221’s historical behavior, technical tradecraft, their sophisticated stealth techniques, and provides key defensive takeaways for organizations.

Key Discussion Points and Insights

1. Background on UNC5221

Longstanding Espionage Activity:
- UNC5221 is a PRC (People’s Republic of China) associated espionage group tracked by Mandiant since 2023.
- Previously linked to exploits of Avanti zero-day vulnerabilities.
  - “They're a PRC Nexus espionage group that we've been tracking since at least 2023.” (Ashley, 01:59)
Possible Overlap with Other Groups:
- Some public reports conflate with Silk Typhoon but Mandiant has not confirmed this overlap.
  - “We mentioned in the blog that it's not tied to Silk Typhoon at this time, but...there's bound to be overlaps...” (Ashley, 02:47)
Focus on Sophisticated Tradecraft and Stealth:
- Emphasis on zero-day and end-day exploitation, especially targeting edge devices.
- Victim selection often aims at organizations granting broader access, e.g., law firms, SaaS providers, and entities with downstream customers.
  - “They do seem to pay attention to what types of victims may garner them a pretty wide net in terms of downstream targeting.” (Ashley, 03:43)

2. The BRICKSTORM Campaign

Origin and Discovery:
- Brickstorm malware was discovered during an investigation of an UNC5221 case involving a compromised VMware vCenter server.
- Further hunting with custom YARA rules revealed additional samples on other edge devices.
  - “We identified a Brickstorm backdoor that was placed on a VMware V Center...then found multiple additional samples on other edge device type systems.” (Sarah, 05:36)
Malware Capabilities:
- Brickstorm is a golang-based tunneler acting as a backdoor, used for command execution, file uploads/downloads, and proxying traffic.
- Used primarily for exfiltration and stealthy command and control (C2) within the environment.
  - “They primarily focus on living off the land, but where needed, they will deploy malware such as Brickstorm to complete their mission.” (Sarah, 06:51)
Minimalist Malware Use:
- Group relies heavily on "living off the land" tactics, using malware sparingly for specific needs.
- Extensive use of proxying through multiple systems to mask exfiltration origins.

3. Unprecedented Stealth Techniques

Extended Dwell Times:
- Average dwell time of 361 days observed in some cases, making detection and incident response even more challenging.
  - “I think it was like 361 days, was the average dwell time over a year...” (Luke, 07:22)
Evolution of Obfuscation:
- Post-initial disclosure, Brickstorm variants became heavily obfuscated to evade detection.
  - “They've started implementing like very heavy obfuscation in the code to avoid detection.” (Ashley, 08:33)
Customized Per-Target Variants:
- Each malware sample is unique, with per-system obfuscation, configuration, and sometimes even functionality changes.
- C2 infrastructure is individualized down to unique domains and subdomains, reducing cross-sample overlap.
  - “Each sample...has its own obfuscation, it has its own C2 config...So each one is very much unique...” (Sarah, 09:24)
  - “Even the samples contained within Org A are different between each other...There’s no reuse of any of the C2 domains...” (Ashley, 09:58)
Difficult Hunting and Detection:
- High infrastructure turnover and obfuscation complicate hunting.
- Network-based patterns, like DNS-over-HTTP, proved useful—but only with robust long-term network logging in place.
  - “It's very difficult on the IR side to hunt for this type of activity...network logs have been very important for finding this.” (Sarah, 11:04, 15:18)

4. Incident Response Challenges

Data Retention Issues:
- Extended dwell times often outlast available log retention (commonly 3-6 months), limiting investigators’ ability to reconstruct the full intrusion chain.
  - “Not all organizations have log retention going back that far...and so all of those systems have been decommissioned.” (Sarah, 13:33)
Initial Vector Often Unidentified:
- In most cases, the exact initial access vector for Brickstorm deployment could not be confirmed due to missing historical data.
  - “In these Brickstorm specific cases, we have not identified the initial vector, at least to my knowledge...” (Sarah, 14:30)
Asset Inventory as a Foundation:
- Maintained asset inventory crucial for mapping possible attacker paths and effective network defense.
  - “The asset inventory, it's useful for a multitude of reasons and it's useful for figuring out an attacker's path...” (Ashley, 17:06)

5. Targeting Patterns and Impact

Focus on High-Value, Multipoint Organizations:
- Targeting of SaaS providers and law firms is strategic for downstream access to their customers’ environments and data.
  - “...they primarily were using that to then hit a multitude of downstream customers.” (Sarah, 20:46)
Interest in Sensitive Data:
- Primary targets include legal, trade policy, and source code repositories—valuable for economic and strategic intelligence gathering.

6. Defensive Guidance and Takeaways

EDR Blind Spots:
- Many edge devices (VMware vCenter, firewalls, appliances) lack endpoint detection and response (EDR), making them attractive targets.
  - “We're seeing a shift of targeting to these systems that typically don't have EDR on them.” (Sarah, 22:32)
Continuous Cyber Hygiene:
- Asset inventory and business impact analysis are essential. Identify and protect critical and high-value data and systems.
  - “Cyber hygiene is important and continual cyber hygiene is important to that asset inventory.” (Ashley, 23:26)
Moving Beyond IOCs:
- Static detection based purely on indicators of compromise (IOCs) such as IPs or hashes is insufficient. Emphasize behavioral detection and holistic visibility.
  - “Static detection of atomic IOCs...that can't be...how we detect this activity. This intrusion alone has shown hashes and IPs and domains are really not going to be useful even in a singular intrusion, let alone across multitudes of intrusions.” (Ashley, 23:44)

Notable Quotes & Memorable Moments

Ashley on Per-Target Customization:
- “Each sample...is different from each other. There's no reuse of any of the C2 domains...That third subdomain is also unique across each of the variants that we've seen. So they haven't even reused that level...” (09:58)
Sarah on the Power of Asset Inventory:
- “Having a fully fleshed out asset inventory...not even just useful for figuring out what points of your network barrier are weak...but it also, there's a saying...threat actors know an environment often better than the people who are constantly using that environment every day.” (Ashley, 19:24)
Luke on Stealth and Operational Discipline:
- “Compared to some of the other typhoons...there is a level of stealth and operational discipline that I think we saw here...” (21:39)

Key Timestamps

01:59 – UNC5221 background and historical trends
03:43 – Targeting patterns and use of zero-day exploits
05:36 – Discovery of Brickstorm and edge device focus
06:51 – Actor’s “living off the land” approach
08:33 – Malware obfuscation and per-target customization
09:58 – Individualized C2 infrastructure and detection challenges
13:33 – Log retention and incident response hurdles
17:06 – Asset inventory and the "iceberg model"
20:46 – SaaS and law firm targeting, downstream exploitation
22:32 – EDR blind spots and defensive priorities
23:26 – Cyber hygiene, asset inventory, and limitations of IOCs

Final Takeaways

UNC5221 exemplifies the modern, stealth-focused PRC APT with highly customized malware and shifting TTPs targeting edge devices.
Organizations must proactively address EDR blind spots, enhance asset visibility, and prioritize behavioral and network-based threat detection.
Cyber hygiene and a comprehensive, continuously updated asset inventory form the backbone of a resilient defense against highly evasive espionage actors.

For more detail, readers are encouraged to refer to the original blog post by Sarah Yoder and Ashley Pearson (linked in show notes).

Loading summary

Transcript41 lines

[00:02]
A
Overall, they were definitely targeting and continue to target the types of entities that you would expect a Chinese espionage nexus group to go after. But I think seeing the targeting of SAS providers in real time, if you will, on the investigation side was very interesting to see firsthand that they certainly had a presence in Organization A, but they primarily were using that to then hit a multitude of downstream customers.
[00:44]
B
Welcome to another episode of Mandiant's Defenders Advantage podcast. I am your host, Luke McNamara. Joining me today, I have in our virtual studio studio Sarah Yoder, who's a manager on Mandiant Consulting, and Ashley Pearson, who's a senior analyst on our advanced practices team here within Intel. Ashley Sarah, great to have you here this afternoon.
[01:05]
A
Thanks, Luke. Happy to be here.
[01:07]
C
Yeah, thanks, Luke.
[01:09]
B
So we're talking about a recent blog that both of you were authors on and worked Several of the incidents that the actor and the activity we're going to talk about were involved in. This is of course, the Brickstorm malware and associated activity by the actor that we track as ankh5221 maybe to begin with, and I don't know who to direct this question at, but maybe you, Ashley ankh5221 they're not an actor that has kind of first come on the scene with this activity. We've seen them before. I think they've probably been discussed before publicly under a different name, but maybe just give us a sort of background on who this actor is historically, what they've done, and then we'll talk a little bit later about obviously this specific campaign.
[02:00]
C
Yeah, absolutely. Like you were saying, 5221 not new to the scene by any means. We have talked about them publicly before. I'm sure a lot of people will probably recognize them as being tied to the Avanti zero days that occurred last year. So they were the main focal point of several blogs that we published last year in relation to that. They're a PRC Nexus espionage group that we've been tracking since at least 2023. So they've been at least under our radar for the last few years.
[02:32]
B
And I know some people I think have kind of publicly made the linkage to Silk Typhoon. That's something we've avoided putting into this blog, that we don't see that sort of connection manifest there. But some of this activity, at least historically, has been tied to sort of the Silk Typhoon clustering.
[02:48]
C
That's accurate. We mentioned in the blog that it's not tied to Silk Typhoon at this time, but if you look for Public reporting, there's bound to be overlaps between what we track as 5221 and what the public is reporting for.
[03:02]
B
Silk Typhoon and you mentioned the PRC nexus cyber espionage group. We'll get into this as we kind of progress. You know, there's certainly aspects of this activity, especially the most recent examples that very much in alignment with what we see these days from other PRC nexus espionage groups in terms of the technical sophistication, the emphasis on stealth, maybe a little bit more so in this context. But before getting into the sort of the brickstorm stuff, you know, kind of historically you mentioned Avanti. But any sort of other interesting aspects about what we've seen from this actor before in terms of targeting? Is it sort of again more of your run of the mill Chinese cyber espionage in terms of their areas of focus?
[03:43]
C
Yeah, sort of like what you mentioned, some of the activity that we see associated with this cluster is not necessarily atypical for other espionage clusters that we see. Like you mentioned, stealth is obviously a big thing when you're trying to gain as much intelligence on your victim as possible. I think some of the things that set 5221 apart from perhaps other clusters would be their proclivity towards zero day or end day exploitation. They do seem to target specifically edge devices. That seems to be their bread and butter is edge device targeting. Some of the other things that might set them apart in terms of like victim targeting would be they do seem to pay attention to what types of victims may garner them a pretty wide net in terms of downstream targeting. So some of the things that we mentioned in the blog specifically would be legal firms, SAS providers, things like that that will get them the biggest bang for their buck in terms of targeting.
[04:46]
B
Yeah, and I think a lot of, a lot of those things you noted are, have very much become typical of certainly a sector of the Chinese apt space in more recent years. And thinking about, you know, people might remember the kind of pre2015, 2016 more smash and grab era, this is very much in kind of the new normal of what we see from a lot of these Chinese apts now.
[05:10]
C
Absolutely. Honestly, I feel like that bleed over has even started occurring for non PRC groups as well. Like we've seen it with some financially motivated clusters as well. So I could definitely see it being a continuing trend.
[05:21]
B
So let's, let's dive into the actual activity that you guys talk about in this blog. And Sarah, feel free to jump in here as well. But what essentially happened that ultimately led to the deployment of brickstorm malware and what we observed in these campaigns.
[05:36]
A
So earlier this year we were working an investigation of a suspected ONC 5221 case. And through that investigation we identified a Brickstorm backdoor that was placed on a VMware V Center. Through the investigation and that observation, we, we then found multiple additional samples on other edge device type systems, network and security appliances, things like that. And through that process we were able to create some Yara rules that we were able to do some hunting with. Through that, we've kind of had an influx of these Brickstorm specific cases. As Ashley mentioned earlier, we've been tracking 5221 for a while. But this kind of campaign, if you will, was very specific to the use of the Brickstorm malware, which is a golang based tunneler. It has the ability to run commands, upload download files and proxy traffic, which is primarily what we see the threat actor using it for in the environment.
[06:46]
B
And was that the primary tool or piece of malware that we observed in these operations?
[06:51]
A
Yeah, that's correct. Overall, this threat actor minimally uses malware. They primarily focus on living off the land, but where needed, they will deploy malware such as brickstorm to complete their mission. So they're able to exfil data from one system, but using the backdoors, they proxy, you know, the data exfilled and maybe have it leave the environment from a different system is what we saw a lot in this campaign.
[07:23]
B
So I think both of you have already touched a little bit on this. But one of the things that jumped out to me in reading this blog and this actor's activity, something maybe a little bit even more notable than what we've now come to see from a lot of the other Chinese ABT actors is the extent of stealth that this actor seemed to be very diligently, you could almost argue, kind of employing their operations. And there's, I think, a couple different ways that this stood out to me, but maybe we could actually first off with the dwell time and the fact that in at least I know some of the engagements, the stat was, you probably have it off the top of your head. I think it was like 361 days, was the average dwell time over a year, definitely that that had been the case. So this is an actor that, at least from what we could tell, and I know in responding to breaches of this nature, when you have a dwell time that long, sometimes the difficulty in kind of retracing the steps of what took place place can be very Challenging, even determining initial infection vector where, you know, the logs may no longer have been kept. That could point to sort of the early instances of this actor. But yeah, maybe talk a little bit about sort of the dwell time and that aspect of like the stealth.
[08:34]
C
Yeah, I can touch a little bit on the stealth aspect here. Actually, directly related to Brickstorm, which is kind of the key player in this campaign that we're tracking, there's been some notable evolution specifically tied to Brickstorm, which kind of point towards a more concerted effort to remain as undetected as possible. So we actually first publicly reported on brickstorm back in April 2024, which was tied to some of the 5221 activity that we had reported on and the Avanti zero days from that same time frame since that publication. As far as stealth goes and changes to Brickstorm, we've noted they've started implementing like very heavy obfuscation in the code to avoid detection.
[09:25]
A
And just to further Ashley's point on the stealth and sophistication of this malware family in particular, it appears that the threat actor is creating each variant specific to the system that they're going to place it on. So each sample either has its own obfuscation, it has its own C2 config. Sometimes they'll modify the actual functionalities in the sample that we see. So each one is very much unique, even though it overlaps with the rest of the malware family.
[09:58]
C
Yeah, and what's really interesting too, it's not even typically, I feel like what we would see is engagement at Organization A has things unique to Organization A versus Organization B having its own set of unique things tied to perhaps the same malware family. But I think what's even more interesting about the way that we've seen Brickstorm deployed is even the samples contained within Org A are different between each other. So each sample, even in the same engagement, is different from each other. There's no reuse of any of the C2 domains, and if there is, it's extremely small reuse of any of that infrastructure associated associated with them. To the point where we're seeing three levels of domains used for C2 associated with Brickstorm. Right. So it'll be like the TLD and then two subdomains. That third subdomain is also unique across each of the variants that we've seen. So they haven't even reused that level of their domains, which is pretty interesting.
[11:04]
A
Interesting and makes it very difficult on the IR side to hunt for this type of activity. We've had some success with looking for DNS over HTTP patterns in network logs. But because of how both malware works and how they are using those network communications, it's very difficult to hunt for.
[11:29]
B
Yeah, because you think of examples where you might even have the same C2 being used for multiple victims, which is obviously, you know, from, from a hunt perspective, always useful to find where you're able to kind of pivot out and find, you know, other potential victims off of one victim being impacted. And then for an actor who wants to have more opsec and bifurcation of those different parts of the campaign, obviously not reusing the same C2 for the same. Org can be useful. But here you're talking about a whole other level of time and effort that has to go in to, you know, modify different samples, have different C2s for specific entities within the same or within the same intrusion. And that level of dedication, I don't think, again, correct me if I'm wrong, but not something we see typically because of all the effort that that is involved in kind of to take that place.
[12:22]
C
Yeah, absolutely. It's definitely a very, again, concerted effort to try and remain as undetected as possible. It's one thing when we observe high turnover in just an IP address, but when you're taking it a step further and it's high turnover of IPs and domains and those things are coded to the unique malware that they're using, like you said, that's just layers and layers of effort in remaining undetected.
[12:52]
B
And of course, this is just the malware component of this you mentioned there's living off the land techniques that they've employed. And it seems like the initial intrusion vector to your point earlier, very much in alignment with what we've seen elsewhere from other actors, including this one of compromising Edge infrastructure where you typically don't have EDR running. And so leveraging the blind spot there. But maybe speak a little bit to the challenge in some of these breach response investigations that you did when this activity took place, in some cases well over a year. What were some of the challenges of sort of missing artifacts or missing parts of the larger story here. Where did you kind of run into that?
[13:34]
A
Yeah, we ran into that all over the place, as we mentioned. Right. The dwell time is over a year. And not all organizations have log retention going back that far. Sometimes it's three months, sometimes six months, et cetera. Or sometimes, you know, they have things in hot storage versus cold storage, which can pose challenges of, you know, how much does A organization want to pay to unpause some of that data, for example. Additionally, environments change over the course of the years, just from a architecture standpoint, right? Maybe a lab environment that you had set up a few years ago, you don't need anymore. And so all of those systems have been decommissioned. There tends to be a pattern with these kind of investigations that when that happens, that's of course, where, you know, everything leads back to is the systems that don't exist anymore. So, you know, given that long dwell time, we've certainly run into not being able to get our hands on all the data that we would love to, just from the kind of practicality of it, which I also wanted to make note that in these Brickstorm specific cases, we have not identified the initial vector, at least to my knowledge. And again, I think that just goes back to that dwell time. We had some indications here and there that pointed towards certain edge devices and things being probably the source, but in most cases we were not able to definitively figure that out.
[15:06]
B
You mentioned earlier, having created some Yara rolls and using that to hunt for this, what were the things that ended up being most useful, either from a telemetry or just hunt process to finding this activity?
[15:19]
A
So each organization we took a different approach. In some cases there was tooling in the environment, such as like backup scanning tools that we could run those YARA signatures against. But in other cases where one Brickstorm was identified, we suspected that there was more. And the client ended up providing essentially, you know, images of 50 plus systems that we thought could be targeted. And we kind of reviewed those somewhat manually. So, you know, going back to kind of the theme of this whole podcast so far on the sophistication, this isn't the most easy threat actor to hunt for. And so we've had success there. I mentioned earlier a little bit the DNS over HTTP traffic. So network logs have been very important for finding this. There's some patterns that we've been able to kind of identify. Given the right data set, it at least gives us something to kind of dive into there. But yeah, those, those are the kind of couple that come to mind for
[16:26]
B
anyone that's had a chance to read the blog, and I would highly recommend people do, we'll include a link in the show notes to it. But if you had, you'll notice if you scroll down through the blog, there's this image and graphic of an iceberg, and this iceberg model is utilized to talk about the importance of asset inventory, which maybe people start to fall asleep when they hear the words asset inventory. But I think is the as a very well made point by the authors. And then I think what this campaign really illustrates is how useful and important that is when you are trying to go back and recreate the picture of what took place. So maybe kind of walk us through the iceberg model and asset inventory, what those entail.
[17:06]
C
Like we were talking about earlier, the asset inventory, it's useful for a multitude of reasons and it's useful for trying to figure out an attacker's path through multiple stages of the attacker life cycle. So it's great for knowing what your egress and ingress points are, knowing which areas in your environment attackers are likely to try to enter through. So knowing what edge devices you have, firewalls, VPNs, if you have any public facing servers, any conferencing systems that are publicly accessible for whatever reason, those are kind of what we refer to in the iceberg as the known knowns and the things that are most common across organizations that people should be aware of. Once you start diving a little bit deeper, I think that's where the asset inventory gets more difficult to maintain. Like Sarah was saying, organizations are constantly adding devices, decommissioning devices, onboarding new people, whether that's to the security team or as end users, or even on your server administration or network administration team. So some of these known unknowns and the unknown unknowns, and honestly, frankly, even some of the known knowns at this point can be kind of hard to nail down because of that high turnover rate for systems within the environment. There's additional complexity that's added too. If your organization has recently or not recently gone through a merger and acquisition, or if you have done any sort of partial or full migration to the cloud, whether that's just application migration to the cloud, or even just changing from on premises hosted things to cloud based resources.
[18:47]
B
Yeah, I think it is something where organizations that maybe haven't done those exercises to put together the assets they have, those gaps in visibility and understanding your environment become more apparent when you're dealing with an actor like this and where maybe pieces of what they've done, how they approach targeting, we've seen elsewhere historically or even as part of this campaign. And so you kind of have an idea of like this is maybe how they are conducting a similar intrusion in your environment if you're responding to a breach. But if an organization has already gone through, gone through that exercise, then it's certainly a lot easier to at least guide some of that hunting.
[19:25]
C
Absolutely. And Like I was saying earlier, it's not even just useful like having a fully fleshed out asset inventory. It's not even just useful for figuring out what points of your network barrier are weak and may allow for actors to gain access to the network. But it also, there's a saying in the industry sometimes that threat actors know an environment oftentimes better than the people who are constantly using that environment every day. And I think that's partially because when they come in they're going to effectively complete an asset inventory to try to find things that they are interested in taking. So they're completing at least part of this just by performing internal reconnaissance after they've gained access.
[20:11]
B
Anything that was interesting, I think Sarah, you had already touched on or mentioned it before, but anything interesting in the targeting as part of this campaign? You know we saw SaaS organizations, we saw law firms, I think some other tech companies, things that again very much kind of commonplace amongst a lot of modern Chinese APT targeting. I think Sarah Ashley mentioned, you know, the sort of follow on targeting of those I either customers of a law firm or customers of a SaaS company would obviously be attractive even to a range of different other types of actors. But anything in there in the kind of targeting patterns that was maybe notable or that stood out to you?
[20:46]
A
Yeah, as you already mentioned, overall they were definitely targeting and continue to target the types of entities that you would expect a Chinese espionage nexus group to go after. But I think seeing the targeting of SaaS providers come in real time if you will, on the investigation side was very interesting to see firsthand that they certainly had a presence in organization A, but they primarily were using that to then hit a multitude of downstream customers. And when we were able to look at what they were targeting even at some of those downstream customers was very much in line with legal firms, trade policy, source code, things like that.
[21:39]
B
So as we kind of wrapping this up, any sort of like final takeaways or thoughts from responding to these investigations? Again it seems like aspects of this very much again typical of what we've seen historically from Chinese APTs. And so from that part maybe not so remarkable but even amongst that, you know, compared to some of the other typhoons that get discussed publicly, there is a level of stealth and operational discipline that I think we saw here and as you mentioned this is not a new group so you know, we expect this activity in some form is going to continue. Any sort of kind of thoughts either from responding to this? Again, I think some great points and takeaways around asset inventory and importance there. But anything that organizations kind of take home about this actor, specifically about this category of threat activity, Anything to kind of leave folks with?
[22:32]
A
Sure. I think in general we're seeing a shift of targeting to these systems that typically don't have EDR on them. So this, as we've mentioned, is not the only threat actor to target VMware VCenter. For example, we had recently released a blog about UNK3944 doing something very similar. I've also seen ransomware operators access the vcenter to then encrypt downstream ESXi host. So I think that's certainly something that organizations kind of of all kinds can be more mindful of. Is buying an EDR solution is not a one step fix it for your environment. Right. You can't just buy a product and call it good. The threat actors are staying up to date with what these trends are and figuring out ways to go kind of against the norm.
[23:27]
C
I think honestly the biggest takeaway as somewhat unremarkable seeming as it is, is I guess, twofold really. Cyber hygiene is important and continual cyber hygiene is important to that asset inventory. Doing the business impact analysis to see which of your devices in your network are truly like business critical or housing information that maybe threat actors may be interested in. Not just for this group or other Chinese groups. But you know, there are core pieces of data that are interesting to threat actors regardless of where they're coming from. You know, pii phi, anything PI related to the company itself. So doing those cyber hygiene actions is very important. I think the other big takeaway is static detection of atomic IOCs has been something that the industry has been talking about moving away from in the sense that that can't be. Like Sarah said, it's not just, hey, we plug in some IPs and we plug in some hashes and we can detect this activity. This intrusion alone has shown hashes and IPs and domains are really not going to be useful even in a singular intrusion, let alone across multitudes of intrusions. Right. So shifting towards looking for behaviors that may be occurring consistently across all steps of the attacker lifecycle is really, really crucial. Not only for detecting brickstorm and some of the activity that we talked about in this blog, but honestly for finding any sort of sophisticated level threat actor that may have gained access to an environment.
[25:10]
B
Yeah, it's very much a kind of common theme. If you look back at some of the other recent episodes we put out, you mentioned vSphere and the targeting there. We did one with Stuart around that I would highly recommend folks check out, as well as some of the guidance and Harding guides we put out around making that a more difficult target to go after because there is a lot of commonality in the focus. Now we see from espionage groups, extortion actors in going after that real estate in particular. So some great, excellent research here from a very evasive threat actor. So kudos to you both for this blog. We'll include a link in the show notes. And Sarah Ashley, thank you for your time today.
[25:49]
C
Yeah, thanks so much for having us.
[25:51]
A
Thank you.
[25:51]
B
Take care.
[25:55]
C
It.