Imagine discovering that spies have secretly lived inside your home’s walls for over a year, quietly stealing your secrets and even controlling your lights. This is what happened to many U.S., allied, and Asia-Pacific groups because of China’s Brickstorm malware since 2023, according to U.S. and Canadian security agencies. The malware can stay hidden on computers and networks for about 393 days, gathering sensitive information and disrupting systems. It uses clever tricks like mimicking normal computer tasks and sending stolen data in ways that look harmless, making it very hard to detect. This threat shows how hackers can secretly spy and cause damage for a long time without being noticed.
As per the cyberscoop.com, Brickstorm malware uses a flexible design built in Go language, with multiple hidden steps that dodge common security scans like YARA rules and endpoint detectors used by big companies. It sneaks out stolen data via HTTP-over-DNS (disguising web traffic as harmless name lookups), sets fake system schedules to stay active long-term and uses SOCKS proxies for secret movement across networks and stealing files with real login info. Linked to UNC5221 hackers’ tricks like code hiding, it lets them copy VMware vSphere virtual machines offline to grab passwords (like ntds.dit files) tracelessly, showing China’s huge cyber investments outsmart Western defences and steal tech secrets for “Made in China 2025”. Attackers can auto-restart it in weak spots like hypervisors (virtual machine managers).
Attackers are now targeting U.S. tech companies, law firms, SaaS providers, BPOs, and Asia-Pacific governments. Like the VMware/F5 breach exposed in October 2025, hackers can stay hidden for years in that case since 2023. Their goal is to steal source code, emails of top executives and merger & acquisition files, causing billions in losses every year and giving China a major boost in the semiconductor race. They first study Asia-Pacific organizations, then enter systems through virtual servers, where they can copy entire machines and extract secrets without leaving traces. For India, which depends on global tech supply chains and rare-earth imports, this risk is serious. A breach in one company can spread to partners and critical infrastructure, multiplying the damage.
U.S. agencies like CISA and the NSA say that Brickstorm is tied to the Chinese state-backed hacking group UNC5221, active since March 2025. Its behaviour resembles the earlier Volt Typhoon campaign, which quietly prepared for potential conflicts involving Taiwan or India. CrowdStrike reports a 150% increase in Chinese cyber operations, combining hacking with broader pressure tactics meant to weaken alliances and undermine international rules. China’s approach is also seen in its attacks on telecom and critical infrastructure, with Google noting that these operations aim to stay hidden long-term for both spying and potential disruption. This growing aggression should be called out in forums such as BRICS and RIC, framing it as a broader challenge to democratic systems and networks.
Organizations need to actively search for signs of attack in their VMware/vSphere logs, use CISA-recommended detection rules, store logs for more than one year, and carefully review all administrator accounts to fully remove the Brickstorm threat. A strong India–US–Japan cybersecurity partnership could help by sharing threat intelligence and blocking the tactics used by UNC5221.Raising public awareness is also important. Social media campaigns linking cyber aggression to Uyghur human rights abuses and border tensions can increase pressure on Beijing and strengthen support for democratic nations. The first step is simple: check your logs today. This long-lasting campaign undetected for nearly 400 days shows growing Chinese cyber power. But early threat hunting and international alliances can stop these operations before they turn into sabotage.
Leave a Reply