




















F5 characterized the attacker as a “highly sophisticated nation-state” adversary. On October 15, 2025, F5 distributed a threat-hunting guide detailing a malware known as BRICKSTORM, used by Chinese state-backed hackers, to its customers. The suspected espionage group, UNC5221, is known for deploying this stealthy malware as a backdoor to maintain persistence.
Active since at least 2023, UNC5221 specializes in stealing source code from major tech companies to discover exploitable bugs in their products. The BRICKSTORM backdoor is a Go-based malware designed for network appliances (which often lack traditional Endpoint Detection and Response [EDR] visibility) and supports SOCKS proxying for stealthy remote access.
This actor’s operations prioritize maintaining long-term footholds on devices like servers or load balancers, with an average dwell time exceeding one year in victim networks. In F5’s case, the attackers reportedly maintained access to the network for at least 12 months before detection. While the initial access vector remains unconfirmed, UNC5221 is known to exploit zero-day vulnerabilities in perimeter appliances when possible.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。