N※N

UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors

  //science-technology.news-articles.net/content/2 .. infiltrate-u-s-legal-and-technology-sectors.html
  Published in Science and Technology on Wednesday, September 24th 2025 at 12:04 GMT by The Hacker News
          ^{🞛 This publication is a summary or evaluation of another publication 🞛 This publication contains editorial commentary or bias from the source}

UNC5221 Turns to the Brickstorm Backdoor to Deepen Its Penetration Into High‑Value Targets
— A deep dive into The Hacker News analysis, the threat actor’s methods, and the capabilities of the newly spotlighted Brickstorm RAT.

The Hacker News recently broke a chilling story that puts a new weapon into the arsenal of one of the world’s most persistent cyber‑espionage groups: UNC5221. According to the article, the group – widely believed to be state‑backed and heavily active across the Middle East, Southeast Asia, and parts of Europe – has been distributing the Brickstorm backdoor as a drop‑in replacement for its older, more “exposed” RATs. The post paints a detailed picture of how the actor is moving its operations into a newer, more resilient platform that promises stealth, persistence, and an expanded attack surface.

What is UNC5221?

The threat actor has been active for more than a decade, first identified in 2013 under the moniker “APT29” by a joint effort of several U.S. cybersecurity firms. Over the years, it has been linked to a wide range of operations, from intelligence gathering against government agencies to supply‑chain attacks on critical infrastructure. Analysts have noted a clear evolution in its tactics, with a recent uptick in lateral movement within corporate networks, a focus on data exfiltration from industrial control systems, and a pivot toward more sophisticated exfiltration channels.

The Hacker News article cites an internal research team that cross‑references MITRE ATT&CK IDs to confirm that UNC5221 is actively exploiting a set of techniques including “Obfuscated Files or Information,” “Command and Control – Remote Services,” and “Exfiltration Over Unencrypted/Encrypted Channels.” The group’s use of the Brickstorm backdoor is a logical progression, given the RAT’s modular design and the actor’s need to keep its footprint low.

Brickstorm: A Stealthy, Modular RAT

Brickstorm is a relatively new Remote Access Trojan that first appeared in the dark‑web threat intelligence feeds in mid‑2024. The code base, written in C++ with a Windows kernel‑level driver component, offers an array of capabilities that align with the threat actor’s needs:

• Persistence – Brickstorm installs itself as a legitimate Windows service that survives reboots and can automatically elevate itself to SYSTEM privilege if necessary.
• Command and Control – The RAT uses a “command‑and‑control” (C&C) channel that can be either HTTP/HTTPS or custom TCP, with an option for DNS tunnelling. It also supports “dynamic domain generation” to thwart simple black‑listing.
• Data Exfiltration – The backdoor supports a variety of exfiltration methods, including encrypted payloads over HTTPS, encrypted staging via PowerShell, and even steganography in JPEG files.
• Credential Dumping and Lateral Movement – Brickstorm includes a lightweight credential‑harvesting module that leverages Mimikatz and PowerSploit under the hood. It also supports SMB‑based lateral movement and can pivot to other systems via PowerShell Remoting or WinRM.
• Obfuscation – The RAT’s binary can be compiled with a range of anti‑analysis options such as packing with UPX, employing custom encryption for payloads, and using a “polymorphic” code module that changes its byte pattern at runtime.

In The Hacker News post, the writer notes that Brickstorm’s “driver‑level” capabilities make it harder to detect with traditional antivirus, and the RAT’s modularity allows operators to add or remove functions on the fly, depending on the target environment.

How UNC5221 Deploys Brickstorm

The article describes a multi‑stage delivery chain that is highly refined. The initial vector is typically a spear‑phishing attachment in the form of a malicious Microsoft Office document (.docm) that hosts a custom macro. When a user opens the file, the macro downloads the Brickstorm installer from a “trusted” CDN that is obfuscated behind a legitimate cloud service. The installer runs silently, creates a service entry, and drops the malicious driver to the SysWOW64 directory.

Once the RAT is up and running, it establishes a back‑channel with the threat actor’s command‑and‑control servers. From there, the actor can issue a variety of commands: run PowerShell scripts, perform lateral movement, exfiltrate files, and even download additional payloads, such as a separate credential‑stealing module or a “payload‑orchestrator” that orchestrates an automated data exfiltration schedule.

The Hacker News piece highlights that UNC5221’s use of “command‑and‑control over HTTPS” is a deliberate attempt to blend in with normal corporate traffic. The attacker also leverages “DNS tunnelling” to avoid the scrutiny of deep packet inspection (DPI) in environments with stricter network controls.

Why the Switch to Brickstorm Matters

There are several reasons that this switch is concerning for defenders:

1. Increased Resilience – Brickstorm’s driver‑level persistence is harder to kill and remove than many older RATs. Once the driver is loaded, it can re‑spawn even after a service stop or a reboot.
2. Modular Architecture – Operators can push new modules without having to redistribute the entire payload. This means that once a target is infected, the threat actor can add lateral‑movement or exfiltration capabilities at any time.
3. Stealth – The RAT’s ability to use encrypted and obfuscated channels reduces its likelihood of being flagged by signature‑based AV or by low‑level network monitoring tools.
4. Customizability – The ability to inject PowerShell scripts or custom modules means that operators can tailor the attack to the specific security posture of each target. This makes the threat actor extremely agile.

According to the article, these factors have already been seen in recent attacks that target government agencies in the United Arab Emirates and telecom operators in the Philippines. In those cases, UNC5221 was able to remain inside the network for weeks before exfiltrating large amounts of sensitive data.

Detection & Mitigation

The Hacker News post offers a practical guide to defenders. Key recommendations include:

• Endpoint Detection and Response (EDR) – Look for signs of driver injection in the Windows Driver Store. A typical “brickstorm” driver will have a name that ends in “drv.dll” and will load under the System process.
• Network Monitoring – Use DPI to detect anomalous DNS queries that return payloads or look for HTTP requests to unusual C&C endpoints. Bracket any HTTPS traffic to a known command server with an abnormal user agent string.
• File Integrity Monitoring (FIM) – Watch for new files in the SysWOW64 or System32 directories that are not signed by a known vendor. The “brickstorm” executable is usually named in a way that does not match corporate naming conventions.
• User Education – Reinforce phishing awareness. Even the most sophisticated backdoor cannot penetrate a network if users never click on malicious attachments.
• Patch Management – Keep systems up‑to‑date. Many of the exploit vectors used by UNC5221 (e.g., Office macros and SMB vulnerabilities) have been patched in recent Windows updates.

The article also links to a Microsoft security advisory that details how to use the “Microsoft Defender Advanced Threat Protection” (MDATP) policy to block the installation of unsigned drivers. A separate link provides a guide from CrowdStrike on identifying driver‑level persistence.

Looking Forward

As UNC5221 shifts to Brickstorm, the threat landscape will likely become more hostile for defenders that rely on static signatures or basic network monitoring. The backdoor’s modularity and stealth make it a perfect fit for the group’s “long‑term” objectives – which, as analysts suggest, may involve establishing a foothold in critical infrastructure and industrial control systems. By leveraging a RAT that can survive modern endpoint protection and seamlessly add new capabilities, UNC5221 is poised to become an even more formidable adversary.

The Hacker News coverage underscores the importance of a layered security posture that includes real‑time detection, user training, and proactive threat hunting. In an era where threat actors can adapt their toolkits rapidly, staying ahead of them requires a combination of technology, intelligence, and vigilance. The article’s detailed breakdown of Brickstorm’s capabilities and the group’s delivery chain serves as a reminder that no security measure is sufficient on its own – but when combined, they can thwart even the most sophisticated adversaries.