GoKawiilA Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.
An investigation into the incident revealed that the threat actor had gained access to the victim network at least 18 months before detection, and had also compromised the victim organization's managed services provider (MSP).
UNC5221 is also tracked as VerdantBamboo and has been involved in attacks that exploited zero-day vulnerabilities in edge devices since at least 2023.
The threat actor used the Brickstorm backdoor undetected in the environments of various targets in the United States for more than a year until the breaches were discovered around March 2025.
Researchers describe Brickstorm as "an advanced malware implant." Initial variants were written in Golang, then new variants emerged, written in Rust.
In April 2024, Google documented UNC5221 activity using the backdoor, and then again in September 2025, describing attacks against legal services, software-as-a-service providers, business process outsourcers, and technology companies.
CISA warned about Brickstorm being deployed by Chinese hackers against VMware vSphere servers, and, more recently, Google reported that it was deployed by UNC6201 against Dell RecoverPoint for Virtual Machines.
Victim hacked twice
Volexity researchers responding to an incident last year found that VerdantBamboo compromised an Egnyte Storage Sync system and accessed it periodically through the victim's web SSL VPN.
From this foothold and using Brickstorm proxying features and stolen credentials, the threat actor accessed the organization's Microsoft 365 enevironment.
... continue reading