Overview

• GTIG and Mandiant report an average dwell time of roughly 393–400 days for Brickstorm intrusions before detection.
• Primary targets included legal services, technology firms, SaaS providers and BPOs, with access leveraged to reach downstream customers.
• Investigators cite likely exploitation of edge devices and consistent targeting of VMware vCenter/ESXi systems that lack EDR coverage.
• Operators exfiltrated email via Microsoft Entra ID Enterprise Apps and used a SOCKS proxy to tunnel into internal systems, harvesting credentials with the Bricksteal servlet filter.
• Attribution overlaps with suspected Chinese cluster UNC5221; governments were notified, and the new scanner and YARA rules can aid hunts but may miss some variants.