I. Introduction

Ransomware remains one of the most damaging cyber threats to both public and private sectors in the U.S. In 2025, Qilin, also known as “Agenda”, emerged as one of the most active ransomware operations currently targeting organizations worldwide, including U.S. state, local, tribal, and territorial (SLTT) entities [3]. First observed in 2022, Qilin quickly became prominent after the decline of RansomHub in early 2025, absorbing many of its affiliates. Qilin operates under a Ransomware-as-a-Service (RaaS) model, in which a core group of cybercriminals develops, advertises, and leases their tools and infrastructure to other affiliate cybercriminals to conduct attacks. This group also uses a double extortion strategy, meaning that in addition to encrypting data and holding the key for ransom, they steal critical data and threaten to sell or release it as an additional form of leverage against victims [3]. This report provides an overview of Qilin ransomware and offers guidance on protecting against its threat actors. Qilin is a ransomware notorious for targeting critical infrastructure, healthcare, manufacturing, and education sectors by exfiltrating their data, encrypting their systems, and leaking confidential information to demand a ransom. Read through to understand the current threat landscape, including Tactics, Techniques & Procedures, Indicators of Compromise, as well as defensive and mitigation strategies that can be implemented to reduce ransomware risk from the Qilin group.

II. Threat Landscape / Targets

Qilin’s targets are selected by its ransomware affiliates based on opportunity and span across multiple sectors, with the most frequently impacted being manufacturing, education, government, healthcare, critical services, and financial services. The chosen industries are strategically targeted for their high financial value, giving Qilin affiliates a better chance to extort larger ransom payments. These incidents have been observed worldwide, although activity has mostly been observed in North America and Europe. Targets that have been compromised share common infrastructure weaknesses, such as large, distributed networks, legacy systems, and misconfigured remote access services [6, 19]. Qilin’s major attack was on a UK-based healthcare organization called Synnovis. The following examples highlight major attacks between June 2022 and August 2025:

• June 2022 – Initial Discovery (Undisclosed Organization)
  • The first known Qilin ransomware case was detected when attackers gained access to a company’s Virtual Private Network (VPN) and compromised an administrator account. Using Remote Desktop Protocol (RDP), they pivoted into the organization’s Microsoft System Center Configuration Manager (SCCM) server, establishing persistence for further attacks. No data exfiltration was observed, but three systems were encrypted [6, 9].
• July 2022 – Initial RaaS Appearance as ‘Agenda’
  • The group was first observed promoting their Ransomware-as-a-Service (RaaS) tool, named “Agenda,” which was written in the Go programming language and leased to affiliates [2, 20].
• October 2022 – Public Appearance
  
  • Qilin made its first public appearance on a Dedicated Leak Site (DLS) under the name “Agenda,” confirming affiliate operations within the ransomware marketplace [6, 9].
• December 2022 – Technical Evolution
  
  • Qilin was rewritten in the Rust programming language, improving its encryption speed, detection evasion, and cross-platform compatibility [2, 13]
• April 2023 – Manufacturing Sector
  
  • Undisclosed Organization (APAC): A company in the Asia-Pacific region reported being attacked by the new Qilin variant written in Rust. The attackers used SMB, RDP, and WMI for lateral movement and abused default credentials. Approximately 30 GB of data was exfiltrated to MEGA cloud storage over SSL [6, 9].
• January 2024 – Government Sector Attack
  
  • Australian Court System (Australia): Qilin conducted a double-extortion attack targeting the Australian judicial system, exfiltrating sensitive audiovisual court files to pressure the system into paying [6, 19]
• March 2024 – Additional Attacks
  
  • Qilin was linked to additional attacks across different industries and countries, including International Electro-Mechanical Services (U.S.), Felda Global Ventures Holdings Berhad (Malaysia), Bright Wires (Saudi Arabia), PT Sarana Multi Infrastruktur (Indonesia), Casa Santiveri (Spain) [8].
• May 2024 – U.S. Enterprise Attack
  
  • Undisclosed Organization (U.S.): Qilin compromised a U.S.-based enterprise using default credentials and RDP for initial access and lateral movement. Data exfiltration was observed through FTP [9].
• June 2024 – Healthcare Sector Attack
  
  • Synnovis (UK): Qilin demanded a $50 million ransom after attacking Synnovis, a pathology services provider supporting the UK National Health Service (NHS). The attack disrupted operations of multiple hospitals, caused thousands of appointment cancellations, and resulted in the theft of over 400 GB of patient data [1, 10].
• April 2025 – Corporate Sector Attack
  
  • SK Inc. (South Korea): Qilin affiliates breached the servers of SK Inc., a major investment firm, exfiltrating over 1 TB of confidential corporate data that was later leaked online [6].
• April 2025 – Critical Infrastructure Attack
  
  • City of Abilene (Texas, U.S.): A Qilin attack encrypted city systems and exfiltrated approximately 477 GB of data, resulting in one month of disruption to public services, including the public transit network [14].
• May 2025 – U.S. Government Attack
  
  • Cobb County Government (Georgia, U.S.): Qilin claimed responsibility for exposing the personal and legal data of local government employees and citizens. Over 150 GB of files, including autopsy photos, driver’s licenses, and Social Security numbers, were stolen [5][6].
• June 2025 – Manufacturing Sector Attack
  
  • Shinko Plastics (Japan): Qilin was confirmed to be responsible for a ransomware attack on the Japanese manufacturer Shinko Plastics, claiming to have stolen 27GB of files from the company [11].
• July 2025 – Activity Peak
  
  • Qilin became the most active ransomware group worldwide, claiming 73 victims on its DLS, and demonstrating an increase in activity after recruiting new affiliates [7].
• August 2025 – Additional Manufacturing Sector Attacks
  
  • Qilin claimed responsibility for two confirmed ransomware attacks to the manufacturing sector in Japan, those being Nissan Creative Box and Osaki Medical [11].

With 84 victims between August and September of 2025, the Qilin Ransomware-as-a-Service (RaaS) operation became one of the most active ransomware groups [18].

III. Tactics and Techniques

Qilin uses a wide range of Tactics, Techniques, and Procedures (TTPs) to accomplish its goals. They heavily rely on the use of AI-generated content to improve phishing campaigns, create convincing attacks, and avoid detection, be it from harvesting information about their targets or creating believable digital twins. This use of automation and AI-generated content raises the success rate of their attacks [4, 16].

The following table shows their tactics and techniques, along with the corresponding MITRE ATT&CK IDs:

Table 1. MITRE ATT&CK Techniques Associated with Qilin Ransomware

IV. Adversary Tools and Services

Attackers using Qilin usually gain initial access by using valid accounts, often taken from credential dumps or phishing pages. Once the target is compromised, they move to reconnaissance by using VPN or RDP access to discover endpoints connected to the domain and to map the network, domain trusts, and backup servers for useful targets [18].

In the next stage of the attack chain, attackers harvest credentials with tools such as Mimikatz, search browsers and backup systems for secrets, and abuse those credentials to obtain escalated privileges and to move laterally. Additionally, they deploy legitimate RMM and remote-access software (AnyDesk, ScreenConnect, Splashtop, Atera, etc.) routinely to manage compromised hosts and to load the stage for later activity, and file-transfer utilities (Cyberduck, WinSCP) and common admin applications (mspaint, notepad, iexplore) to scan and harvest for information [18].

To evade detection, Qilin actors use BYOVD (bring-your-own vulnerable driver) exploits, enable Restricted Admin, disable PowerShell-based AMSI/TLS, and disable TLS certificate validation. To tunnel C2 traffic, they use SOCKS proxy DLLs or COROXY implants, sometimes hidden behind RMM infrastructure and legitimate cloud services. For persistent remote access, they were observed using Cobalt Strike and SystemBC [18].

In one recent instance, Qilin actors employed a hybrid approach. They made use of a crossplatform Linux ransomware binary, spreading and executing it on Windows endpoints through remote-management services or safe file transfer. As a result, the group’s presence was amplified on Windows, Linux, and virtualized environments. Altogether, these capabilities make Qilin a significantly dangerous threat [18].

V. Indicators of Compromise (IOCs)

The table below presents the exact artifacts Qilin used, consisting of: Phishing links and a lookalike ScreenConnect domain, specific installer paths, file hashes of the ransomware and the Veeam exploit tool, Tor/C2 IPs, and the ransom note path. Taken from the GitHub page posted by Sophos Labs called “Ransomware-Qilin-STAC4365.csv” [17], these indicators show how initial access was gained, how tools were deployed, and where encryption and data theft occurred.

Table 2. Detection and Monitoring Indicators for Qilin Ransomware

VI. Defensive Strategies & Best Practices

a. Initial Compromise Threat Actors

Using Qilin RaaS (Ransomware-as-a-Service) packages gain access to enterprise networks through spear-phishing campaigns targeting the C-suite. This can look like emails from unknown users or domains encouraging executives to click on malicious attachments or links designed to replicate legitimate domains. Threat actors also take advantage of legitimate cloud storage services such as OneDrive or Google Drive, making detection more difficult and reinforcing the need for users to recognize suspicious behavior. Staying up to date with security awareness training will equip users with the knowledge to identify typosquatting and report these social engineering attempts, lowering the likelihood of being impacted [3].

b. Reinforce Password Security

Policies Reports from SentinelOne have shown that threat actors were able to gain access to systems with administrator capabilities by exploiting default or weak access credentials. Disabling default credentials and following NIST password security guidance will make it more difficult to gain access to critical systems. NIST 800-53 recommended controls include requiring at least 15- character passwords for privileged accounts, at least 8-character passwords for standard accounts, and comparing passwords against compromised credential databases [15].

c. Diversifying Authentication

Methods Implementing MFA (Multi-Factor Authentication) as well as encouraging passwordless authentication methods like biometrics, hardware tokens, and one-time passcodes will lower the likelihood of a system being accessed if a password is compromised. This implementation is crucial for remote work, as this is a common vector for the abuse of these services [15].

d. Threat Monitoring Tools Investing

In security infrastructure, including EDR, SIEM, and email security tools, specifically those with anti-ransomware capabilities, will aid security engineers in detecting these attacks by analyzing attachments and links for malicious behavior, using behavioral heuristics, comparing file hashes, and detecting lateral movement. Additional defensive measures include securing open ports and performing regular patch and vulnerability management [4].

e. Bolstering Security Defenses

Bolstering security defenses is critical in defending against this ransomware, as users of this tooling are known to abuse remote access through open RDP ports, SSH, VPNs, as well as remote execution to further infiltrate the network. Qilin ransomware is known to exploit unpatched systems, including open ports and services such as Citrix, virtualization, network, and cloud solutions. Keeping up to date with routine software and vulnerability patches will harden devices and limit potential threat vectors that malicious actors can exploit. In instances where these tools must remain available for employees, implementing adaptive security methods (time, geolocation, IP reputation, etc.) will lessen the likelihood of the network being infiltrated without detection [4].

VII. References

[1] BankInfoSecurity. (2024, June 17). UK Pathology Lab Ransomware: Attackers Demanded $50 Million. https://www.bankinfosecurity.com/uk-pathology-lab-ransomware-attackersdemanded-50-million-a-25559

[2] Barracuda. (2025, July 18). Qilin ransomware is growing, but how long will it last? https://blog.barracuda.com/2025/07/18/qilin-ransomware-growing

[3] Center for Internet Security (CIS). (2025, September 11). Qilin: Top Ransomware Threat to SLTTs in Q2 2025. https://www.cisecurity.org/insights/blog/qilin-top-ransomware-threat-to-slttsin-q2-2025

[4] Check Point Software. (2025, July 8). Qilin Ransomware (Agenda): A Deep Dive. https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/qilin-ransomware/

[5] Cobb County Government. (2025, May 23). Notice of the Cobb County Board of Commissioners Cyber Security Event. https://www.cobbcounty.gov/communications/news/notice-cobb-county-board-commissionerscyber-security-event

[6] CybelAngel. (2025, July 16). Inside Qilin: The Double Extortion Ransomware Threat. https://cybelangel.com/blog/qilin-ransomware-tactics-attack/

[7] Cyble. (2025, August 12). Ransomware Landscape July 2025: Qilin Stays on Top as New Threats Emerge. https://cyble.com/blog/ransomware-groups-july-2025-attacks/

[8] Cyberint. (2025, July 10). Qilin Ransomware: Get the 2025 Lowdown. https://cyberint.com/blog/research/qilin-ransomware/

[9] Darktrace. (2024, July 4). A Busy Agenda: Darktrace’s Detection of Qilin Ransomware-as-aService Operator. https://www.darktrace.com/blog/a-busy-agenda-darktraces-detection-of-qilinransomware-as-a-service-operator

[10] HIPAA Journal. (2024, June 22). Ransomware Group Leaks Data from 300 Million Patient Interactions with NHS. https://www.hipaajournal.com/care-disrupted-at-london-hospitals-due-toransomware-attack-on-pathology-vendor/

[11] Industrial Cyber. (2025, October 08). Qilin hackers claim responsibility for Asahi cyberattack, allege theft of 27 GB of data amid ongoing investigation. https://industrialcyber.co/ransomware/qilin-hackers-claim-responsibility-for-asahi-cyberattackallege-theft-of-27-gb-of-data-amid-ongoing-investigation/

[12] National Institute of Standards and Technology (NIST). (2025, August 20). How Do I Create a Good Password? https://www.nist.gov/cybersecurity/how-do-i-create-good-password

[13] Quorum Cyber. (n.d.). Agenda Ransomware Report. https://www.quorumcyber.com/malware-reports/agenda-ransomware-report/

[14] S-RM. (2025, July 16). Ransomware in Focus: Meet Qilin. https://www.srminform.com/latest-thinking/ransomware-in-focus-meet-qilin

[15] SentinelOne. (2025, September 17). Agenda (Qilin). https://www.sentinelone.com/anthology/agenda-qilin/

[16] Sophos. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoingcampaign-by-qilin-affiliates-targeting-screenconnect

[17] SophosLabs. (n.d.). Ransomware-Qilin-STAC4365 Indicators of Compromise (IoCs). GitHub Repository. https://github.com/sophoslabs/IoCs/blob/master/Ransomware-QilinSTAC4365.csv

[18] The Hacker News. (2025, October 27). Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack. https://thehackernews.com/2025/10/qilin-ransomwarecombines-linux-payload.html

[19] Tripwire. (2024, June 20). Qilin Ransomware: What You Need to Know. https://www.tripwire.com/state-of-security/qilin-ransomware-what-you-need-know

[20] U.S. Department of Health and Human Services (HHS). (2024, June 18). Qilin Threat Profile (TLP: CLEAR). https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf

[21] HIPAA Journal. (n.d.). Qilin Ransomware Group Exploiting Critical Fortinet Flaws. https://www.hipaajournal.com/qilin-ransomware-group-exploiting-critical-fortinet-flaws/

[22] BushidoToken. (2024, June). Tracking Adversaries: Qilin RaaS. https://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html

[23] Trend Micro. (2022). New Golang Ransomware, Agenda, Customizes Attacks. https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizesattacks.html

[24] ThreatLocker. (n.d.). Qilin Ransomware’s Newest Tactics: Widespread Encryption by Any Means Necessary. https://www.threatlocker.com/blog/qilin-ransomwares-newest-tacticswidespread-encryption-by-any-means-necessary

[25] Picus Security. (n.d.). Qilin Ransomware. https://www.picussecurity.com/resource/blog/qilin-ransomware

[26] CyberSecurityNews. (2025). Qilin Operators Mimic ScreenConnect Login Page. https://cybersecuritynews.com/qilin-operators-mimic-screenconnect-login-page/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Eduarda Koop, Waratchaya Luangphairin, and Isaiah Johnson

I. Introduction

BRICKSTORM is a Golang-based backdoor used by the Chinese state-sponsored group, UNC5221 (also known as UTA0178 and Red Dev 61), to quietly maintain long-term access to enterprise and government networks. It is a cross-platform threat that targets Windows, Linux, and BSD-based systems, with a particular focus on edge appliances and remote access infrastructure.

Identified by Mandiant (Google Cloud) in March 2025, this malware has been linked to multiple espionage incidents in the US, including attacks on law firms, Software-as-a-Service (SaaS) providers (companies that offer software applications over the internet), and technology companies.

What makes BRICKSTORM so dangerous is the emphasis on stealth and persistence. Mandiant uncovered one case that revealed BRICKSTORM included a built-in “delay” timer that waited for a specific (hardcoded) date before contacting its command-and-control server, which meant that the threat actor was actively monitoring and capable of adapting their tactics to maintain persistence. Mandiant averages the dwell time for BRICKSTORM malware to be 393 days before detection, highlighting just how effective this backdoor malware can be at evading detection.

Once compromised, BRICKSTORM threat actors will not only compromise the entire environment of their target organization but also the organization’s connections, thereby expanding their attack surface and reaching beyond the initial target.

This advisory will cover what BRICKSTORM is, its targets, Tactics Techniques & Procedures, tools and services used, Indicators of Compromise, as well as mitigation strategies to protect against BRICKSTORM.

II. Target

Legal Services / Law Firms
U.S. law firms and legal services organizations, especially those specializing in mergers and acquisitions, international trade, and government contracting, are primary targets for BRICKSTORM, as these areas provide access to sensitive information about U.S. economic and national security matters [12]. These firms are a valuable source of private/internal communications, transaction records, and trade intelligence that provide strategic insight into U.S. economic and national security matters. The motivation behind these attacks is primarily espionage, as the adversary seeks to obtain privileged emails, negotiation strategies, and other confidential materials that can be used for political or trade advantage. Reporting shows that these campaigns are not short-term, financially driven operations, but long-term intelligence collection efforts that remain active for extended periods, often through persistent access in internal document systems and email servers.

Technology Firms / Intellectual Property-Rich Companies
Technology firms, software vendors, and R&D organizations attract BRICKSTORM due to their proprietary source code and intellectual property. These companies are particularly attractive to groups like these because they develop widely used enterprise and security products that can be leveraged for future exploits. The primary motive behind these attacks is espionage. Additionally, the capability development involves stealing source code and technical data to exploit unidentified vulnerabilities and weaponize them for future offensive operations. Evidence from recent incidents shows the group exploiting virtualization management systems and appliance software to access internal build systems and code repositories. Some of the techniques most frequently used by this group include cloning domain controllers in order to extract credentials offline and using SOCKS proxies for lateral movement, which suggests a deliberate focus on exploiting the development and management infrastructure for persistent/long-term access. [13]

SaaS Providers / Business Process Outsourcers (BPO)
SaaS providers and BPOs are increasingly targeted because compromising a single provider can expose multiple customer environments. These organizations are targeted because the ability to compromise one provider can give these attackers indirect access to many customer environments. The highlight of their motivation still remains espionage, with a focus on supply chain infiltration rather than direct theft. By utilizing tactics such as phishing, social engineering, or exploiting vulnerabilities in the service provider’s infrastructure, adversaries can embed themselves and quietly collect intelligence from a wide range of downstream organizations without triggering immediate detection. [3] Recent investigations indicate that the campaign’s activity within this sector mirrors other China-linked supply chain operations, which also have the key goal of maintaining stealthy persistence to enable long-term surveillance and selective data exfiltration from compromised environments.

Infrastructure / Appliances & Virtualization Management Systems
Network appliances, VPN gateways, firewalls, and virtualization platforms such as VMware vCenter and ESXi are a key focus for BRICKSTORM. These systems are attractive because they often fall outside the visibility of standard endpoint protection and can be used to maintain deep persistence due to the lack of oversight. The motivation is espionage and operational dominance within these target environments, allowing the attackers to harvest credentials, clone virtual machines for offline analysis, and establish covert tunnels for sustained undetected access. Security analysts have identified BRICKSTORM binaries written in Go, which are tailored to operate within appliance and management systems. The use of SOCKS proxying and DNS-over-HTTPS for encrypted communication enables BRICKSTORM to maintain stealthy and persistent access, aligning with their goals of long-term surveillance and data exfiltration. These campaigns frequently initiate with the exploitation of zero-day vulnerabilities in identified perimeter appliances. To maintain a minimal footprint and evade detection, BRICKSTORM employs sophisticated strategies, including customized malware, secure communication channels, and adaptive evasion techniques, underscoring a calculated approach aimed at achieving long-term infiltration and control. [10,14]

III. Tactics and Techniques

The threat actors behind BRICKSTORM employ sophisticated techniques from initial access to exfiltration in order to complete their mission. The following section outlines the MITRE ATT&CK tactics and techniques observed in use by BRICKSTORM [5,11]:

Table 1. MITRE ATT&CK Techniques Associated with BRICKSTORM

Initial Access
Initial access often begins with the compromise of edge devices and public-facing applications. In at least one of the observed cases, the threat actors have obtained initial access by exploiting unknown, unpatched vulnerabilities, CVE-2024-21893 and CVE-2024-21887, which involve a command injection vulnerability and an authentication bypass in web components of Ivanti Connect Secure and Ivanti Policy Secure. [5, 6, 7]

Execution
Once a foothold is established, BRICKSTORM can accept web-based commands and execute OS commands, returning HTTP responses with the command output. This approach gives threat actors interactive control without the need for interactive shells. BRICKSTORM also blends in with the target environment by matching naming conventions and even functionality in order to masquerade as legitimate activity. Together, these techniques make detection significantly harder. [5]

Persistence
After execution, BRICKSTORM establishes persistence by installing an in-memory Java Servlet filter called BRICKSTEAL, which intercepts and decodes web authentication traffic and harvests credentials. Because BRICKSTEAL is loaded in the RAM and not on disk, it is stealthier and will not show up on simple file scans. Additionally, it modifies startup scripts, such as init.d, rc.local, or systemd, to survive any reboots. [2,5]

Credential Access & Privilege Escalation
BRICKSTORM harvests passwords from secret stores and leverages in-memory credential dumping in order to escalate privileges and gain access to administrator infrastructure. In several of the observed cases, the malware targeted password vaults and configuration repositories within virtual machines and cloud environments to extract service account credentials and API tokens. BRICKSTORM was also observed collecting credentials from both volatile memory and encrypted stores, which provides access to high-privilege accounts. After gaining access to credentials, the group targets domain controllers, virtualization hosts, and backup systems to escalate privileges, then uses those privileges to move laterally and authenticate to additional systems and interfaces. [5]

Lateral Movement
BRICKSTORM moves laterally through the network by using SSH (secure, encrypted remote-shell access) and masking their activity as routine administrative behavior. The threat actors, after compromising valid credentials, connect via SSH from compromised hosts to internal systems to transfer files, deploy tools, and execute commands, while avoiding visible interactive shells. SSH is also remotely enabled through vCenter’s Appliance Management Interface (VAMI), allowing the threat actors to create temporary local accounts, which are then removed to erase any activity traces. [2,5]

Defense Evasion
To evade detection from signature-based and static analysis, BRICKSTORM obfuscates and modifies its variants for each target. The malware is compiled as Go binaries (single-file executables produced by the Go compiler that contain everything it needs to run, even the libraries and run-time) using obfuscation tools that strip out any identifiable strings and symbols to prevent matches with known indicators, and it also executes payloads in memory, deletes installers after use, and masks malicious functions within legitimate processes. Together, these approaches make file-hash or signature-based detection even more challenging. [5]

Command and Control (C2)
BRICKSTORM blends C2 traffic into normal web traffic by using HTTP/HTTPS and encrypted channels to send commands and payloads. The threat actors establish a SOCKS proxy tunnel to move through the compromised system and access any internal services, while hiding C2 activity (via DNS-over-HTTPS) and rapidly rotating short-lived cloud servers (via ephemeral infrastructure), making tracking their servers difficult and traffic appear routine. [9]

Exfiltration
BRICKSTORM threat actors exfiltrate data out of the affected systems by using the same channels used for command and control (C2). The SOCKS proxy tunnel forwards their workstation into the victim network, giving them direct access to pull files from internal shares, code repositories, and endpoints. Additionally, a common theme of these threat actors is to access email accounts and mailboxes of key people in their target organization. [3] They abuse Microsoft Entra ID (formerly Azure Active Directory) applications that are configured with weak permissions, such as mail.read or full_access_as_app, to access the mailboxes of target accounts. [2, 9]

IV. Adversary Tools and Services

BRICKSTORM combines custom-built malware, opensource libraries, and legitimate internet services to maintain long-term access and hide their activity across targeted networks. The following list contains tools and services associated with the BRICKSTORM campaign along with reasoning behind why it is part of the campaign:

1. Go ELF Backdoor (Pg_update, Listener, Vmprotect)
A Golang-based implant designed to run directly on F5 BIG-IP appliances. [10] It gives attackers remote control, encrypted communications, and data exfiltration without relying on external dependencies (ideal for stable persistence on embedded Linux systems).

2. Yamux (Golang Multiplexing Library)
Allows attackers to send multiple data streams over one TCP or TLS connection, hiding several operations within a single outbound session. [4]

3. SOCKS Proxy Mechanism
Allows pivoting from the compromised appliance management IP to internal hosts, allowing lateral movement while maintaining stealth. [10]

4. TLS / HTTP/2 (ALPN h2) and WebSocket C2 Channels
Encrypted web protocols that blend with legitimate traffic. The connection upgrades to WebSocket for long-term persistence and control.

5. Exploits for 0-days and Known Vulnerabilities
Used to gain initial access to f5’s BIG-IP management interfaces, especially after F5’s source code theft revealed internal vulnerabilities. [1]

6. Public Code Repositories (China-based)
Reuse of legitimate Golang and networking code from public sources, some of which host malicious projects reused for appliance compromise. [10]

7. Cloud/CDN and DNS-over-HTTPS (DoH) Services
Legitimate cloud platforms (like Cloudflare or Heroku) and encrypted DNS channels abused for C2 traffic, domain hiding, and command relay, making detection more difficult. [2]

V. Indicators of Compromise (IOCs)

According to Mandiant’s threat intelligence report called Another BRICKSTORM:Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors, there is diminishing value for using IOCs to detect BRICKSTORM’s presence [3]. TTP-based hunting is a necessary approach to detect patterns that are unlikely to be detected.

The following table presents a Mandiant-adapted checklist for detecting BRICKSTORM activity and associated adversary behaviors:

Table 2. BRICKSTORM Threat Hunting Reference Table

VI. Recommendations

BRICKSTORM allows attackers to compromise systems and networks while evading detection by common security controls, such as DNS monitoring at the network level. To mitigate these threats, organizations should implement the following defensive strategies:

1. DNS over HTTPS
BRICKSTORM can be configured to operate both with and without DNS over HTTPS (DoH). Therefore, it is recommended that organizations watch for unusual DoH activity to prevent variations of BRICKSTORM that may leverage these services. [8]

2. TLS Inspection
BRICKSTORM can easily blend malicious activity into legitimate HTTPS traffic by using encrypted channels for C2. As a result, organizations should ensure that their TLS inspection detects or blocks nested TLS sessions (encrypted sessions over already encrypted traffic). [8]

3. Behavior-Based Detection
To avoid detection, BRICKSTORM uses the component BRICKSTEAL loaded in the memory, and obfuscates and modifies its variants for each target. Therefore, traditional signature-based detections may fail to detect the backdoor. Organizations should implement EDR solutions capable of performing behavioral anomaly detection to focus on unusual process injections, in-memory Java servlet filters, or unsigned binaries. [3, 5]

4. Principle of Least Privilege
Any device that is internal or internet-facing should be configured to follow the principle of least privilege. Devices should be outbound only to vendor update servers, package repositories, or support endpoints. Therefore, firewalls should be in place to monitor and allow access only to authorized domains and IPs necessary for devices to operate. [3]

5. Patch and Harden Systems
Vendor updates should be applied to all systems, and outbound connectivity should be restricted for management interfaces. [2]

6. Threat Hunting & Detection Logic
Based on the identified TTPs and Indicators of Compromise, organizations are encouraged to perform threat hunts and put in place detection rules to proactively detect BRICKSTORM. [2]

7. Access Controls
SSH is remotely enabled through vCenter’s Appliance Management Interface (VAMI) to allow threat actors to create temporary local accounts. Therefore, MFA should be enforced for vCenter’s Appliance Management Interface (VAMI), while also monitoring VM cloning. Additionally, BRICKSTORM abuses Microsoft Entra ID applications and its permissions, making it fundamental for organizations to review permissions such as mail.read or full_access_as_app. [2,3]

By following these recommendations and defensive strategies, organizations can proactively defend themselves from BRICKSTORM.

VII. References

[1] Cybersecurity and Infrastructure Security Agency. (2025, April). Emergency Directive 26-01: Mitigate vulnerabilities in F5 devices. https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices

[2] Fortinet. (2025, April 10). BRICKSTORM espionage campaign: Threat Signal Report 6204. FortiGuard Threat Intelligence. https://www.fortiguard.com/threat-signal-report/6204/brickstorm-espionage-campaign

[3] Google Threat Intelligence Group. (2025, September 24). Another BRICKSTORM: Stealthy backdoor enabling espionage into tech and legal sectors. Google Cloud Threat Intelligence Blog. https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

[4] HashiCorp. (n.d.). Yamux: Golang multiplexing library. GitHub repository. https://github.com/hashicorp/yamux

[5] Mandiant (Intelligence Team). (2025, March). BRICKSTORM malware: UNC5221 targets tech and legal sectors in the United States. Picus Security Blog. https://www.picussecurity.com/resource/blog/brickstorm-malware-unc5221-targets-tech-and-legal-sectors-in-the-united-states

[6] National Institute of Standards and Technology. (2023). CVE-2023-46805: Authentication bypass in Ivanti Connect Secure. National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2023-46805

[7] National Institute of Standards and Technology. (2024). CVE-2024-21887: Command injection vulnerability in Ivanti Connect Secure and Policy Secure. National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2024-21887

[8] NVISO Labs. (2025, April). BRICKSTORM malware analysis report. NVISO Threat Intelligence Blog. https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf

[10] ReSecurity. (2025, April 15). F5 BIG-IP source code leak tied to state-linked campaigns using BRICKSTORM backdoor. ReSecurity Threat Intelligence Blog. https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor

[11] The MITRE Corporation. (2025). MITRE ATT&CK framework: Techniques and tactics. https://attack.mitre.org/ 14 of 14

[12] Bloomberg. (2025, September 24). ’Most prevalent’ Chinese hacking group targets tech, law firms. Bloomberg News. https://www.bloomberg.com/news/articles/2025-09-24/-most-prevelant-chinese-hacking-group-targets-tech-law-firms

[13] Burt, J. (2025, September 24). Chinese hackers steal data from U.S. legal, tech firms for more than a year. Security Boulevard. https://securityboulevard.com/2025/09/chinese-hackers-steal-data-from-u-s-legal-tech-firms-for-more-than-a-year/

[14] Lakshmanan, R. (2025, September 24). UNC5221 uses BRICKSTORM backdoor to infiltrate U.S. legal and technology sectors. The Hacker News. https://thehackernews.com/2025/09/unc5221-uses-brickstorm-backdoor-to.html

[15] Arctic Wolf Networks. (2025, October 30). UNC6384 weaponizes ZDI-CAN-25373 vulnerability to deploy PlugX against Hungarian and Belgian diplomatic entities. Arctic Wolf. https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/

[14] Google Threat Intelligence Group. (2025, August 25). PRC-Nexus espionage campaign hijacks web traffic to target diplomats. Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats

[15] Mandiant. (2025, September 24). Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors. Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

[16] The Hacker News. (n.d.). UNC5221 uses BRICKSTORM backdoor to infiltrate U.S. legal and technology sectors. https://thehackernews.com/2025/09/unc5221-uses-brickstorm-backdoor-to.html

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Waratchaya Luangphairin (June), Eduarda Koop, and Isaiah Johnson

CVE-2025-58424

I. Introduction

Application Delivery Controllers (ADCs) are essential to modern networks because they optimize, secure, and manage client-server traffic. F5’s BIG-IP, a critical Application Delivery Controller used across enterprises and government networks, plays a key role in traffic management, SSL/TLS termination, and application delivery. [1]

On October 15, 2025, CVE-2025-58424 was discovered, describing a vulnerability affecting F5’s BIG-IP systems where undisclosed traffic can cause data corruption and unauthorized data modification in protocols that lack message integrity protection. The vulnerability currently affects several versions and configurations of BIG-IP products [2] and has been linked to the BRICKSTORM malware, which is used by state-sponsored actors. Although rated Medium (CVSS v3.1 score 4.5) by the National Vulnerability Database (NVD) [6], the potential for exploitation across critical infrastructure makes immediate patching a priority.

No public reports of active in-the-wild exploitation as of October 28, 2025. However, it is part of a broader set of F5 BIG-IP vulnerabilities disclosed amid a nation-state breach of F5’s internal networks (detected on August 9, 2025) [6], where source code and undisclosed vulnerable details were stolen. This raises concerns for potential zero-day exploits by the threat actor.

Following the public disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive (ED 26-01) for federal agencies. [8] The directive required agencies to apply F5 patches, inventory F5 products, and restrict management interface access. CISA warned that the breach presents an “imminent threat” to federal networks.

This advisory provides a consolidated overview of what CVE-2025-58424 is, where it is targeted towards, affected BIG-IP modules, associated MITRE ATT&CK techniques, as well as recommended mitigations. It serves to help readers understand the technical scope and protections to maintain data integrity and network resilience.

II. Target

CVE-2025-58424 affects the BIG-IP data plane, which is responsible for nearly all runtime network traffic processing, including load balanced traffic by Traffic Management Microkernel (TMM). As a result, any organization running affected F5 BIG-IP products or services that rely on TMM is potentially vulnerable to CVE-2025-58424. These products and services sit at the network edge and handle large volumes of client-server traffic, making successful exploitation extremely dangerous and affecting a wide range of industries [4], including:

• Enterprise & Cloud Service Providers
• Financial Services
• Government & Public Sectors
• Healthcare
• Telecommunications
• Retail & E-commerce

Affected BIG-IP Modules:

The following table lists the BIG-IP modules affected by CVE-2025-58424, as identified in Recorded Future [6], a leading cyber-threat intelligence and vulnerability tracking platform, along with their corresponding function category:

Table 1. BIG-IP Modules Impacted by CVE-2025-58424 and their Functional Classification

III. Tactics and Techniques

The following table maps out MITRE ATT&CK Techniques Associated with CVE-2025-58424:

Table 2. MITRE ATT&CK Techniques Associated with CVE-2025-58424

IV. Adversary Tools and Services

Although a specific threat actor has not been linked to the F5 breach, public reporting from Google Cloud Mandiant (Mandiant is Google Cloud’s threat intelligence sector that conducts research on advanced persistent threat APT activity and state sponsored cyber activity) suggests that this vulnerability may be of the works of UNC5221, a Chinese threat actor that targets network and edge devices [7]. Attackers using CVE-2025-58424 resemble UNC5221 who have conducted previous campaigns; however, it does not prove that they are the same actor. It only indicated that comparable techniques and similar tools are deployed, which is crucial to monitor in case the same malware or infrastructure recurs in the future.

The primary malware family linked to this vulnerability is BRICKSTORM, a backdoor that allows attackers to gain sustained remote access and command over compromised systems. Due to its cross-platform capabilities, BRICKSTORM can be used on Windows, Linux, and BSD (Berkley Software Distribution), which enables attackers to infiltrate a variety of network environments [7]. In past campaigns, UNC5221 has been observed to have persistence for more than a year (roughly 393 days), showing that they prioritize data collection and being hidden over big attacks that quickly cease access [7].

To stay hidden, this group uses cloud services like Cloudflare Workers and Heroku as part of their command-and-control (C2) blueprint to perform cloud-fronting. Could-fronting is a technique that makes malicious traffic appear to be from reliable businesses. Additionally, they employ DNS-over-HTTPS (DoH), which encrypts network communication to make it difficult for defenders to identify anomalies. After entering the system, this group advances into virtualized environments such as VMware, vCenter, and ESXi, which are frequently found in data centers [7]. This allows them to increase their level of control and remain undetected, even in the event that one machine is isolated or patched.

Recorded Future also discovered that CVE-2025-58424 appears in legitimate penetration testing tools like Tenable Nessus plugin #270590, as well as other tools like the DDoS Toolkit and generic Backdoor malware [6]. This demonstrates that both attackers and defenders are actively using this vulnerability: Adversaries are looking for unpatched targets, and defenders are using it for testing and securing systems.

Altogether, these results demonstrate that CVE-2025-58424 lies in a hybrid threat space that can be exploited by both independent and state-sponsored threat actors. Despite the lack of confirmation regarding who is responsible for F5’s BIG-IP modules, the similarity in tactics and techniques points to a larger campaign approach that emphasizes data manipulation, stealth, and continuous persistence.

V. Indicators of Compromise (IOCs) and Detection Indicators

There are currently no verified Indicators of Compromise (IOCs) available for CVE-2025-58424 as of this advisory. Being that this is a possible early warning sign of exploitation, security teams should keep an eye out for anomalies in outgoing connections to cloud-hosted command-and-control (C2) services and encrypted DNS traffic.

The following table rounds up observable behaviors and network patterns connected to the exploitation activity linked to CVE-2025-58424. Until confirmed IOCs are released, these indicators serve to assist analysts in searching for related activity:

Table 3. Detection and Monitoring Indicators for CVE-2025-58424

VI. Recommendations

CVE-2025-58424 allows attackers to infiltrate and modify data within active TCP sessions that use protocols lacking encryption or message integrity protection, such as those without TLS. The issue stems from predictable identifiers in TMM, that is, the Traffic Management Microkernel, a core component of F5 Networks, which can be leveraged to inject malicious data into the data plane. To mitigate these threats, organizations should implement the following course of action:

1. Upgrade BIG-IP

F5 have introduced patched versions for affected modules. Organizations using affected models should upgrade to patched versions (15.1.10.8+, 16.1.6+, or 17.5.0+) for optimum security and performance.

For additional guidance:

Navigate to F5’s official website to learn more about common issues and best practices when upgrading BIG-IP systems: https://my.f5.com/manage/s/article/K000157079

1. Turn on the TCP Injection Protection Setting

Administrators can enable the ‘tm.tcpstopblindinjection’ database variable via the Traffic Management Shell (TMSH) to add an extra layer of protection and serve as temporary mitigation until the patch is applied.

a. Log in to the TMOS Shell (tmsh) with the following command from the Advanced Shell (bash):

Tmsh

b. Enter the following command to enable the ‘tm.tcpstopblindinjection’ database variable:

modify /sys db tm.tcpstopblindinjection value enable

c. Verify the change with the following command:

list /sys db tm.tcpstopblindinjection

To limit exposure, it is recommended to restrict management and self-IP access to trusted networks and enforce TLS across all traffic in addition to patching systems. 8 of 9

Security analysts should maintain increased monitoring of network traffic and logs for unusual TCP behavior, injection attempts, or sequence number anomalies while systems are in the process of being patched. The CVSS score is rated moderate, but the potential for unauthorized data manipulation within live network segments makes this a serious threat that requires immediate attention and remediation.

Table 4. Summary of Affected Products & Fixed Versions
Note: Refer to Table 1 in Section II (Targets) for a complete list of affected BIG-IP modules.

VII. References

[1] F5 Networks. (2025, October). Security Advisory K000156572: BIG-IP Software Vulnerabilities Quarterly Notification | MyF5. https://my.f5.com/manage/s/article/K000156572

[2] National Vulnerability Database (NVD). (2025, October 15). CVE-2025-58424: F5 BIG-IP Traffic Management Microkernel Data Corruption Vulnerability | National Institute of Standards and Technology (NIST). https://nvd.nist.gov/vuln/detail/CVE-2025-58424

[3] F5 Networks. (2025, October 15). Security Advisory K000151297: BIG-IP System Software Security Update for CVE-2025-58424 | MyF5. https://my.f5.com/manage/s/article/K000151297

[4] F5 Networks. (2025, October). Security Advisory K44525501: CVE-2025-58424 BIG-IP Data Plane Vulnerability Overview | MyF5. https://my.f5.com/manage/s/article/K44525501

[5] F5 Networks. (2025, October). Security Advisory K000157079: Upgrading BIG-IP Systems – Best Practices and Mitigation Guidance | MyF5. https://my.f5.com/manage/s/article/K000157079

[6] Recorded Future Insikt Group (2025, October 23). Vulnerability Enrichment: CVE-2025-58424. Recorded Future. https://app.recordedfuture.com/portal/analyst-note/doc:_b2QRX https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

[7] Yoder, S., Wolfram, J., Pearson, A., Bienstock, D., Madeley, J., Murchie, J., Slaybaugh, B., Lin, M., Carstairs, G., & Larsen, A. (2025, September 24). Another BRICKSTORM: Stealthy backdoor enabling espionage into tech and legal sectors. Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

[8] Lakshmanan, R. (2025, October 15). F5 breach exposes BIG-IP source code — Nation-state hackers behind massive intrusion. The Hacker News. https://thehackernews.com/2025/10/f5-breach-exposes-big-ip-source-code.html

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Taylor Alvarez, Isaiah Johnson, Eduarda Koop, and Waratchaya Luangphairin (June)