Google Warns That China-Linked Malware Will Haunt Networks for Years

Companies may uncover traces of a Chinese-linked hacking campaign lurking in their networks for at least the next two years, Google warns. On Wednesday, Google’s Threat Intelligence Group reported that it is tracking a backdoor malware known as BRICKSTORM, which has been used by hackers to maintain access to organizations and companies in the U.S. for an average of 393 days. Google’s cybersecurity consulting arm, Mandiant, has been responding to these intrusions since March 2025. The attacks target a variety of industries, with a particular focus on legal services, Software-as-a-Service (SaaS) providers, Business Process Outsourcers (BPOs), and technology companies. Evidence from Google’s investigations suggests legal groups are targeted for information related to U.S. national security and international trade. SaaS providers are used as a gateway to access their customers. And tech companies are targeted to analyze intellectual property, including source code, which could help identify other security gaps. “The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims,” the report notes. A zero-day vulnerability refers to a security flaw in software or hardware that is unknown to its developers, leaving “zero days” to patch it before attackers can exploit it. The activity is primarily attributed to a group identified by Google as UNC5221, along with other closely related China-linked clusters. The report says the hackers are able to remain undetected for long periods because they deploy BRICKSTORM on systems that cannot run traditional Endpoint Detection and Response (EDR) or antivirus software that is used on devices like computers and smartphones. Instead, they target network appliances like routers, firewalls, email security gateways. They also target virtual machine managers and hosts. According to the report, UNC5221 consistently targets VMware vCenter and ESXi hosts. To help organizations detect the malware, Mandiant has released a free scanner that looks for BRICKSTORM activity. It works “by searching for a combination of strings and hex patterns unique to the backdoor,” Google said. Mandiant Consulting Chief Technology Officer Charles Carmakal told The Register that he anticipates that we’re going to hear about this cyber threat for a long time. “As more companies scan their systems, we anticipate we’ll be hearing about this campaign for the next one to two years,” Carmakal said. “We have no doubt companies will use this tool and find active or historic compromises.” Carmakal also told Cybersecurity Dive that over this two-year period, “new things will come out” about the attacks, as more victims disclose breaches.