Google warns that malware linked to China will haunt networks for years

Businesses can discover the traces of a Chinese piracy campaign that hides in their networks for at least the next two years, warns Google.

On Wednesday, Google’s Threat Intelligence Group reported that he was following malware from the stolen door known as BrickStorm, which was used by pirates to maintain access to organizations and businesses in the United States for an average of 393 days. Google’s cybersecurity advice, Mandiant, has responded to these intrusions since March 2025.

The attacks target a variety of industries, with a particular emphasis on legal services, software providers as a service (SaaS), subcontractors of commercial processes (BPO) and technological companies. The evidence of Google’s surveys suggest that legal groups are intended for information related to the national security of the United States and international trade. SaaS suppliers are used as a gateway to access their customers. And technological companies aim to analyze intellectual property, including source code, which could help identify other security gaps.

“The value of these targets extends beyond typical spy missions, potentially providing data to fuel the development of zero days and establish pivotal points for wider access to downstream victims,” ​​notes the report. Zero-day vulnerability refers to a security failure in software or hardware that is unknown to its developers, leaving “zero days” to correct it before the attackers can exploit it.

The activity is mainly attributed to a group identified by Google as UNC5221, as well as other clusters closely linked to China.

The report indicates that hackers are able to remain untepped for long periods because they deploy brick storms on systems that cannot execute the detection and response of traditional termination points (EDR) or antivirus software that is used on devices such as computers and smartphones.

Instead, they target network devices such as routers, firewalls, E-mail safety bridges. They also target managers and hosts in virtual machines. According to the report, UNC5221 systematically targets VMware VCenter and ESXI hosts.

To help organizations detect malware, Mandiant has published a free scanner looking for the BRICKSTORM activity. It works “by looking for a combination of hexadecimal chains and patterns specific to the stolen door,” said Google.

The director of Mandiant Consulting technology, Charles Carmakal, told the register that he was planning that we will hear about this cyber player for a long time.

“While more and more companies are scanning their systems, we plan that we will hear about this campaign in the coming at two years,” said Carmakal. “We have no doubts that companies will use this tool and find active or historical compromises.”

Carmakal also told Cybersecurity Dive that over this two -year period, “new things will be published” on attacks, while more and more victims disclose violations.