Brickstorm malware powering \u2018next-level\u2019 Chinese cyberespionage campaign | CyberScoop<\/title> <meta name=\"description\" content=\"Mandiant and Google have identified \u201cBrickstorm,\u201d a sophisticated, suspected China-linked hacking campaign targeting U.S. tech firms, legal organizations, and BPOs. The operation often goes undetected for more than a year, leveraging stealthy methods to infiltrate environments.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/chinese-cyberespionage-campaign-brickstorm-mandiant-google\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Brickstorm malware powering \u2018next-level\u2019 Chinese cyberespionage campaign\"> <meta property=\"og:description\" content=\"Mandiant and Google have identified \u201cBrickstorm,\u201d a sophisticated, suspected China-linked hacking campaign targeting U.S. tech firms, legal organizations, and BPOs. The operation often goes undetected for more than a year, leveraging stealthy methods to infiltrate environments.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/chinese-cyberespionage-campaign-brickstorm-mandiant-google\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-09-24T14:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-09-24T14:41:55+00:00\"> <meta property=\"og:image\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2024\/11\/GettyImages-591881449.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1278\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1754500264g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1757443701g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86102\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86102\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fchinese-cyberespionage-campaign-brickstorm-mandiant-google%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fchinese-cyberespionage-campaign-brickstorm-mandiant-google%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86102 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/chinese-cyberespionage-campaign-brickstorm-mandiant-google\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.089285714286\">\n<div class=\"single-article__header-content\" readability=\"35.480676328502\">\n<p> The researchers who uncovered the \u201cvery, very advanced adversary\u201d behind the malware said it could be a big problem years into the future. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86102\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg?resize=1536,1025 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg?resize=1012,675 1012w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-2.jpg?resize=1264,843 1264w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> Bricklayer worker installing bricks on construction site; Pramote Polyamate, Getty Images <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"72.418403020557\"><body readability=\"148.65659135119\"><\/p>\n<p>Ambitious, suspected Chinese hackers with a slew of goals \u2014 stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks \u2014 have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.<\/p>\n<p>Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a \u201cnext-level threat.\u201d But they don\u2019t yet have a full handle on who the hackers are behind the malware they\u2019ve dubbed Brickstorm, or how far it stretches. <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/brickstorm-espionage-campaign\">A blog post<\/a> the company posted Wednesday sheds light on the group.<\/p>\n<p>The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren\u2019t limiting their interest to the primary targets, since they\u2019ve used that access to infiltrate \u201cdownstream\u201d customers. The researchers declined to describe those downstream customers, or say whether U.S. federal agencies are among those targeted. A great many of them don\u2019t know yet that they\u2019re victims, they said.<\/p>\n<p>By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The researchers declined to comment on possible Chinese government agency connections. But they see overlap with Chinese hacking groups like the one they\u2019ve labeled UNC5221 \u2014 perhaps best known for <a href=\"https:\/\/cyberscoop.com\/china-espionage-group-ivanti-vulnerability-exploits\/\">exploiting Ivanti flaws<\/a>, and a group that Mandiant and GTIIG described as the \u201cmost prevalent\u201d Chinese-centered threat group right now \u2014 and the one Microsoft calls Silk Typhoon, which researchers warned recently has been <a href=\"https:\/\/cyberscoop.com\/crowdstrike-silk-typhoon-murky-panda-china-espionage\/\">ramping up its attacks<\/a> this year, with targets including <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/03\/05\/silk-typhoon-targeting-it-supply-chain\/\">IT supply chains<\/a> and <a href=\"https:\/\/www.cybersecuritydive.com\/news\/china-hacker-silk-typhoon-cloud\/758409\/\">the cloud<\/a>. Silk Typhoon is believed to be Chinese government-sponsored. <\/p>\n<p>The company has also developed <a href=\"https:\/\/github.com\/mandiant\/brickstorm-scanner\">a tool<\/a> for potential victims to discover if they\u2019ve been affected by Brickstorm activity, which Google experts indicated is a distinct possibility that could impact scores of organizations over the coming weeks.<\/p>\n<p>\u201cWe have no doubt that organizations will use our tools to hunt for this adversary, and they will find evidence of compromise in their environments,\u201d Charles Carmakal, chief technology officer at Mandiant Consulting, told reporters briefed on the blog post. \u201cAnd it may be active compromises, it might be historic compromises, but many of our organizations are going to discover that they were dealing with this adversary.\u201d <\/p>\n<h3 class=\"wp-block-heading\" id=\"h-sneaky-sneaky\">Sneaky, sneaky<\/h3>\n<p>The campaign\u2019s average \u201cdwell time\u201d is 400 days, they said, compared to dwell times more commonly measured in <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/m-trends-2025\">days or weeks<\/a>. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Several features obscure Brickstorm activity. \u201cIt\u2019s very hard to detect them and to investigate them,\u201d said Austin Larsen, principal threat analyst at GTIG.<\/p>\n<p>The hackers target systems that don\u2019t support defenses for finding and tracking threats on endpoints, such as laptops or cell phones. Examples of target systems that don\u2019t support that kind of endpoint detection and response (EDR) include email security gateways or vulnerability scanners. They consistently target VMware vCenter and ESXi hosts, according to the blog post.<\/p>\n<p>The researchers also never see overlap between the internet protocols of the attackers between victims, Larsen said, or another way of identifying attackers: \u201cThe hashes when they land on this are different for essentially every system.\u201d<\/p>\n<p>Brickstorm attackers also \u201cclean up after themselves\u201d at times, Carmakal said. \u201cBrickstorm may not exist in a victim environment today, but it could have been there for a year and a half. It might have been deleted back in April this year, back in January this year,\u201d he said.<\/p>\n<h3 class=\"wp-block-heading\" id=\"h-what-they-want\">What they want<\/h3>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Brickstorm also isn\u2019t just about one goal. \u201cIt\u2019s an intelligence operation, but not just an intelligence operation,\u201d said John Hultquist, chief analyst at GTIG. \u201cThis is a long-term play.\u201d<\/p>\n<p>The hackers are primarily compromising victims through zero-days, but they\u2019re aiming to uncover new ones, too, by going through companies\u2019 proprietary source code. That gives them multiple ways to penetrate new victim networks.<\/p>\n<p>The Brickstorm hackers \u201chit the SaaS providers, who either hold data for people, or they have some connectivity to downstream,\u201d Hultquist said. Or he said the group can \u201cget a hold of the technology source code and leverage that source code information to gain access or to build out exploits in that technology, which would then give [them] basically a skeleton key to that technology.\u201d<\/p>\n<p>But its victims can be even more precise than that. \u201cAs part of this campaign, we observed in some organizations \u2014 including some legal organizations \u2014 we observed the actor searching the emails of very specific individuals,\u201d Larsen said. The hackers have focused on collecting espionage on international trade and national security from those organizations.<\/p>\n<p>Google has been <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/ivanti-post-exploitation-lateral-movement?hl=en\">tracking Brickstorm<\/a> for a while now. This spring, Belgian cybersecurity company NVISO also <a href=\"https:\/\/blog.nviso.eu\/wp-content\/uploads\/2025\/04\/NVISO-BRICKSTORM-Report.pdf\">shined the spotlight<\/a> on Brickstorm variants spying on European businesses. Google\u2019s latest blog post identifies Brickstorm activity as far more extensive than previously described.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<h3 class=\"wp-block-heading\" id=\"h-the-response\">The response<\/h3>\n<p>Mandiant and GTIG have notified U.S. federal agencies and international governments about the campaign.<\/p>\n<p><a href=\"https:\/\/github.com\/mandiant\/brickstorm-scanner\">The tool<\/a> is a scanner script that can be used on Unix systems, even if YARA (a common security tool used to find and identify malware) isn\u2019t installed. This script is designed to do the same type of search as a specific YARA rule by looking for certain words and patterns that are unique to the Brickstorm backdoor.<\/p>\n<p>\u201cThe most important thing here is, if you find Brickstorm, you really need to do a very thorough enterprise investigation, because the adversary that\u2019s dropping this is a very, very advanced adversary that is known for stealing intellectual property from organizations,\u201d Carmakal said. \u201cIt\u2019s known for using access from victim companies to get into downstream customer environments.\u201d<\/p>\n<p>It\u2019s all a \u201cvery, very significant threat campaign [that\u2019s] very, very hard to defend against in tech,\u201d Carmakal said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><em>Updated 9\/24\/25: with additional information about past Brickstorm reporting.<\/em><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/chinese-cyberespionage-campaign-brickstorm-mandiant-google\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Brickstorm malware powering \u2018next-level\u2019 Chinese cyberespionage campaign | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3171,5075,5076,271,313,302,387,3729,1394,4547,646,419,3838,1181,310,288,3443,5077],"tags":[3173,5078,5079,277,316,306,391,3731,1395,4549,650,423,3840,1183,311,294,3446,5080],"class_list":["post-8011","post","type-post","status-publish","format-standard","hentry","category-backdoor","category-brickstorm","category-charles-carmakal","category-china","category-cyberespionage","category-geopolitics","category-google","category-google-threat-intelligence-group","category-ivanti","category-john-hultquist","category-mandiant","category-saas","category-silk-typhoon","category-surveillance","category-technology","category-threats","category-unc5221","category-vmware-esxi","tag-backdoor","tag-brickstorm","tag-charles-carmakal","tag-china","tag-cyberespionage","tag-geopolitics","tag-google","tag-google-threat-intelligence-group","tag-ivanti","tag-john-hultquist","tag-mandiant","tag-saas","tag-silk-typhoon","tag-surveillance","tag-technology","tag-threats","tag-unc5221","tag-vmware-esxi"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/backdoor\/\" rel=\"category tag\">backdoor<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/brickstorm\/\" rel=\"category tag\">Brickstorm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/charles-carmakal\/\" rel=\"category tag\">Charles Carmakal<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyberespionage\/\" rel=\"category tag\">cyberespionage<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google\/\" rel=\"category tag\">Google<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google-threat-intelligence-group\/\" rel=\"category tag\">Google Threat Intelligence Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ivanti\/\" rel=\"category tag\">Ivanti<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/john-hultquist\/\" rel=\"category tag\">John Hultquist<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/saas\/\" rel=\"category tag\">SaaS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/silk-typhoon\/\" rel=\"category tag\">Silk Typhoon<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/surveillance\/\" rel=\"category tag\">surveillance<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unc5221\/\" rel=\"category tag\">UNC5221<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vmware-esxi\/\" rel=\"category tag\">VMware ESXi<\/a>","tag_info":"VMware ESXi","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8011"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8011\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8011,"date":"2025-09-24T09:00:00","date_gmt":"2025-09-24T14:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86102"},"modified":"2025-09-24T09:00:00","modified_gmt":"2025-09-24T14:00:00","slug":"brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/09\/24\/brickstorm-malware-powering-next-level-chinese-cyberespionage-campaign\/","title":{"rendered":"Brickstorm malware powering \u2018next-level\u2019 Chinese cyberespionage campaign"},"content":{"rendered":"