UNC5221, a Chinese APT group, has deployed the Brickstorm backdoor along with previously undocumented malware Plenet and AgentPSD to maintain long-term access to victim networks, including Microsoft 365 environments and managed service providers. Brickstorm, evolving from Golang to Rust implementations, facilitates stealthy proxying and credential abuse to evade Conditional Access policies. Plenet offers interactive shell and remote execution capabilities over WebSocket, while AgentPSD serves as a secondary reverse shell fallback. The group compromised multiple infrastructure components such as VPNs, storage sync systems, NAS devices, and firewalls, with intrusions lasting at least 18 months before detection. The attackers demonstrated operational security by disabling their C2 servers during investigations. This campaign highlights sophisticated living-off-the-land tactics combined with custom malware targeting environments lacking endpoint detection and response solutions.

The threat actor achieved prolonged unauthorized access to victim networks, including Microsoft 365 environments and managed service providers, enabling espionage and potential data exfiltration. The malware allowed remote command execution, file manipulation, and persistent backdoor access, complicating detection and remediation efforts. The attackers' ability to blend with legitimate traffic and evade Conditional Access policies increased the difficulty of preventing access. The compromise of MSP infrastructure also facilitated lateral movement and secondary intrusions. Although no direct exploits or vulnerabilities are involved, the impact includes significant operational compromise and data security risks for targeted organizations.

No official patches apply as this is malware-based activity rather than a software vulnerability. Organizations should focus on detection and remediation of the malware and unauthorized access. Given the attackers' use of living-off-the-land techniques and evasion of Conditional Access, defenders should review and strengthen identity and access management controls, monitor for unusual VPN and proxy usage, and investigate any persistent or unusual processes on critical infrastructure such as VPN appliances, storage sync systems, NAS devices, and firewalls. Incident response should include thorough network and endpoint forensics to identify and remove all malware variants and backdoors. MSPs should be included in security assessments due to their role in the attack chain. No vendor advisory or official fix is available; patch status is not applicable.