Ongoing Chinese Campaigns: BRICKSTORM & RedNovember — Deep Technical and Policy Analysis

Two distinct but thematically related Chinese-linked espionage clusters have been active and reported on across 2024–2025. BRICKSTORM (tracked to UNC5221) is a Go-based backdoor used in long-running espionage against U.S. legal, SaaS, technology and BPO firms — often delivered via edge-device/vector compromises and capable of credential theft, lateral movement and WebSocket or cloud-proxied C2. RedNovember (aka Storm-2077 / TAG-100) is a separate suspected cluster that targeted Oceania and U.S. entities — leveraging compromised VPNs/firewalls, Pantegana and Spark RATs, and Cobalt Strike to access government, defense and private-sector networks. Both campaigns illustrate persistent, stealthy access aligned with economic-intel priorities and demonstrate continued Chinese investment in contractor ecosystems, tooling diversity, and supply-chain leverage. :contentReference[oaicite:0]{index=0}

Why this matters

These campaigns are notable for three intersecting reasons:

  1. Targeting of high-value non-traditional targets: law firms, BPOs, SaaS providers and supply-chain vendors provide asymmetric access to intellectual property, legal strategies, and business processes that are valuable for economic espionage. BRICKSTORM specifically targeted these verticals over long dwell times. :contentReference[oaicite:1]{index=1}
  2. Use of edge/management appliances as footholds: BRICKSTORM variants run on devices that cannot host typical EDR agents (network appliances, management consoles), enabling lateral movement into infrastructure like VMware vCenter/ESXi — a high-payoff target for broad network compromise. :contentReference[oaicite:2]{index=2}
  3. Geographic reach and operational tempo: RedNovember’s campaign spanned Oceania, the Americas and other regions, combining open-source tools and commodity RATs with targeted exploitation of remote access infrastructure to compromise government and defense-adjacent organizations over months. :contentReference[oaicite:3]{index=3}

Part A — BRICKSTORM (UNC5221)

Overview & attribution

BRICKSTORM is a Go-language backdoor family attributed by multiple vendors and incident responders to a China-nexus cluster tracked as UNC5221. Google Threat Intelligence Group (GTIG) and several security vendors reported detections beginning in early 2025, with intrusions observed against U.S.-based legal services, SaaS providers, BPOs and technology firms. The campaign shows classic long-term espionage characteristics: stealthy persistence, credential harvesting, and sideways movement towards management infrastructure. :contentReference[oaicite:4]{index=4}

Tactics, techniques & procedures (TTP) — high level

  • Initial foothold: compromise of edge appliances, vulnerable services, or supply-chain vectors to place the Go backdoor on devices that lack traditional endpoint defenses. NVISO and other responders documented deployments to edge devices and appliances. :contentReference[oaicite:5]{index=5}
  • Persistence & C2: BRICKSTORM implements persistent callbacks via WebSocket/HTTP(s) tunnels and leverages DoH or cloud-proxied services (Cloudflare, Heroku) to hide telemetry and evade network-based blocks. :contentReference[oaicite:6]{index=6}
  • Credential theft & lateral movement: Operators used BRICKSTEAL-like tooling to harvest VMware vCenter credentials and moved laterally into virtual infrastructure, enabling access to ESXi/vCenter management planes and tenant workloads. Reports indicate average dwell times approaching ~393 days in some victim sets. :contentReference[oaicite:7]{index=7}
  • Data staging & exfiltration: Once inside management infrastructure, attackers enumerated high-value data (source code, IP, contracts, litigation documents) and staged exfiltration through encrypted tunnels or cloud proxies to blend with legitimate web traffic. :contentReference[oaicite:8]{index=8}

Technical characteristics (non-actionable)

Observed BRICKSTORM traits across vendor write-ups:

  • Written in Golang, cross-platform builds for Linux/Windows/BSD-like appliances. :contentReference[oaicite:9]{index=9}
  • Command set includes file system operations, process enumeration, network tunneling (SOCKS proxy), and execution of arbitrary commands. :contentReference[oaicite:10]{index=10}
  • Resolves C2 via DNS-over-HTTPS and cloud-hosted frontends (e.g., Cloudflare Workers, Heroku). This reduces obvious IP/ASN indicators and allows dynamic C2 endpoints. :contentReference[oaicite:11]{index=11}

Notable incidents & impacts

Vendor and reporting indicate multiple intrusions since March 2025 with slow exfiltration of IP and legal documents from targeted firms. At least some intrusions used BRICKSTORM as a pivot to reach VMware management layers, increasing the blast radius and enabling large-scale data access across tenants. Organizations impacted included technology vendors, SaaS suppliers and law firms supporting corporate transactions. :contentReference[oaicite:12]{index=12}

Detection & defensive guidance (high-level)

This section provides defensive, non-exploit guidance for defenders and SOCs.

  • Harden edge appliances: apply vendor firmware updates, remove unnecessary management interfaces, and segment management networks from general user traffic. Monitor for unexpected outbound TLS/WebSocket sessions from appliances. :contentReference[oaicite:13]{index=13}
  • Monitor for DoH/Cloud-proxied anomalies: baseline DNS/DoH patterns and watch for persistent, low-volume DoH connections or WebSocket streams to cloud CDNs from appliance IPs. :contentReference[oaicite:14]{index=14}
  • Protect VMware management planes: enforce MFA on vCenter/ESXi, rotate management credentials, and log/alert on unusual administrative API calls or new service accounts. :contentReference[oaicite:15]{index=15}
  • Hunt for lateral movement: look for unusual SMB/WinRM/RDP patterns, privileged credential use, and signs of tunneling (reverse shells, unexpected SOCKS proxies). Share IOCs and telemetry with sector ISACs and cloud vendors. :contentReference[oaicite:16]{index=16}

Part B — RedNovember / Storm-2077

Overview & attribution

RedNovember (previously tracked by some vendors as TAG-100 and overlapping naming with Storm-2077) is a suspected Chinese state-sponsored cluster that mounted a broad espionage campaign from mid-2024 through July 2025. Recorded Future and other intelligence vendors linked the cluster to operations that exploited internet-facing VPNs and firewalls, deployed Pantegana/Spark RATs and used Cobalt Strike for post-exploitation in targeted networks across Oceania, the U.S., Africa and Asia. The campaign focused on government, defense, aerospace and industry targets. :contentReference[oaicite:17]{index=17}

TTPs observed

  • Initial access via exposed remote access infrastructure: compromised VPNs, misconfigured firewalls and exposed RDP/VPN endpoints were used to gain initial access. :contentReference[oaicite:18]{index=18}
  • Payloads & tooling: Pantegana and Spark RAT families were used for remote control, credential harvesting and persistence; operators also deployed commodity tooling (Cobalt Strike) for privileged access and lateral movement. :contentReference[oaicite:19]{index=19}
  • Target selection: Oceania public-sector and private organizations (central/regional governments, infrastructure providers), US defense contractors, and allied aerospace/technology firms. The regional focus in Oceania suggests targeting for both intelligence and regional influence. :contentReference[oaicite:20]{index=20}

Campaign timeline & scale

Open-source reporting indicates the campaign ran (or at least had notable activity) from June 2024 through July 2025, with clusters of intrusions spread across jurisdictions. The actors were opportunistic in their use of internet-exposed services and deliberate in follow-on exploitation to access sensitive programs in defense and government. :contentReference[oaicite:21]{index=21}

Defensive takeaways

  • Harden remote access stacks: enforce MFA on VPNs, use strong device posture checks, and limit administrative access via jump hosts with robust logging. :contentReference[oaicite:22]{index=22}
  • Response to commodity tooling: because RedNovember uses Cobalt Strike and RATs, SOCs should tune detections for Beacon patterns, anomalous SMB/CIFS use, and post-exploitation lateral movement. Share red-team signatures with peers. :contentReference[oaicite:23]{index=23}
  • Regional cooperation: Oceania-facing organizations should coordinate across national CERTs and with partners to map indicators and respond to cross-border compromises. :contentReference[oaicite:24]{index=24}

Cross-campaign analysis — common themes and strategic implications

When BRICKSTORM and RedNovember are viewed together, several common strategic patterns emerge:

  1. Long dwell, targeted exfiltration: both campaigns prioritized persistence over noisy mass exploitation, enabling selective, high-value data extraction. BRICKSTORM’s long dwell in IP-rich environments and RedNovember’s slow exploitation of VPNs illustrate this approach. :contentReference[oaicite:25]{index=25}
  2. Edge & supply-chain exploitation: targeting of management appliances, VPNs, and supply-chain adjacent firms multiplies impact — compromising a SaaS or supplier can cascade into many downstream victims. :contentReference[oaicite:26]{index=26}
  3. Use of cloud/CDN/tunnelling to hide comms: cloud-fronted C2 and DoH/DNS tunneling complicate network-based detection; defenders must combine telemetry sources to detect low-and-slow exfiltration. :contentReference[oaicite:27]{index=27}
  4. Commoditization + deniability: RedNovember’s use of commodity RATs and BRICKSTORM’s modular backdoor indicate an operating model that mixes bespoke and off-the-shelf tooling to increase scale while retaining plausible deniability. :contentReference[oaicite:28]{index=28}

Operational risk to stakeholders

Organizations at elevated risk include:

  • Law firms and legal services handling M&A, IP and cross-border litigation (BRICKSTORM targets). :contentReference[oaicite:29]{index=29}
  • SaaS providers and BPOs that manage client data and sensitive business processes. :contentReference[oaicite:30]{index=30}
  • Government ministries, defense contractors and aerospace suppliers (RedNovember). :contentReference[oaicite:31]{index=31}
  • Organizations using single-pane management platforms (VMware vCenter/ESXi) without segmented access controls. :contentReference[oaicite:32]{index=32}

Recommendations — what defenders and leaders should do now

Strategic, non-operational guidance for CISOs, SOCs, and policy makers.

  1. Prioritize asset visibility & segmentation: inventory edge appliances and management consoles; ensure that management networks are isolated and that only hardened jump hosts can reach vCenter/ESXi consoles. :contentReference[oaicite:33]{index=33}
  2. Apply zero-trust to management planes: enforce strong MFA, short-lived credentials, device attestation, and strict RBAC for administrative systems. Log and retain admin session telemetry. :contentReference[oaicite:34]{index=34}
  3. Detect cloud-fronted C2: monitor for anomalous DoH, WebSocket, and persistent TLS sessions to CDN providers from unusual hosts. Combine endpoint telemetry with network logs for detection. :contentReference[oaicite:35]{index=35}
  4. Hunt with threat context: use IOC sets shared by vendors (GTIG, Mandiant, NVISO, Recorded Future) and engage in threat-intel sharing with sector peers and national CERTs. :contentReference[oaicite:36]{index=36}
  5. Plan for long-dwell incident response: incident retainer plans should include forensic readiness to investigate long-dwell implants, rebuild from clean images, and reset management-plane credentials at scale. :contentReference[oaicite:37]{index=37}

What to watch next

  • Vendor advisories and IOCs from Google GTIG, Mandiant, NVISO and Recorded Future for BRICKSTORM/UNC5221 and RedNovember — these will contain the most actionable detection telemetry for SOCs. :contentReference[oaicite:38]{index=38}
  • Reports of secondary compromises via suppliers and SaaS tenants that may reveal additional attack chains or new BRICKSTORM variants. :contentReference[oaicite:39]{index=39}
  • Public disclosures of arrests, indictments or infrastructure takedowns tied to these clusters — these often precede new waves of activity or changes in tooling. :contentReference[oaicite:40]{index=40}

Selected sources & further reading

Key vendor reports and journalist coverage used to compile this analysis (selected):

  • Google Threat Intelligence — BRICKSTORM advisory and GTIG analysis. :contentReference[oaicite:41]{index=41}
  • Recorded Future — RedNovember / TAG-100 research summary. :contentReference[oaicite:42]{index=42}
  • NVISO technical report — BRICKSTORM backdoor analysis (PDF). :contentReference[oaicite:43]{index=43}
  • DarkReading, The Hacker News, BleepingComputer — consolidated reportage on campaigns and impacts. :contentReference[oaicite:44]{index=44}
  • Security Affairs / CSO Online — incident and mitigation coverage. :contentReference[oaicite:45]{index=45}