Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Threat Actors Deploy Obfuscation Tactics to Targets Windows Machines
Likely Chinese nation-state hackers are targeting European companies using previously unseen malware backdoor variants with advanced network tunneling and evasion capabilities for data theft.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Brussels-based security firm NVISO on Tuesday said the hacking campaign deploys variants of BrickStorm, a custom malware backdoor previously associated with Chinese hackers.
It links the campaign to a threat actor tracked as UNC5221 – a threat actor that Mandiant designates as a “suspected China-nexus espionage actor” that has hacked network edge devices since at least 2023.
“The newly identified backdoor variants are believed to have been employed in long-running cyberespionage campaigns since at least 2022, targeting European industries of strategic interest to the People’s Republic of China,” NVISO said.
The backdoor was first uncovered by Mandiant. The new variants, which target the Windows operating system, equip the hackers with file management and network tunneling capabilities. Unlike the variant uncovered by Mandiant, the Windows variants have not been equipped with command execution capabilities.
“The avoidance of command execution directly from the backdoor is suspected to be a deliberate choice in order to evade detection by modern security solutions that analyze parent-child process relationships,” NVISO said.
Similarly, the attackers used public cloud services such as Cloudflare and Heroku applications as a front, and domain services like Quad9 and NextDNS to evade detection. Due to DNS over HTTPS’s deployment of encryption, “regular network-level DNS monitoring is circumvented,” the company said.
Once in the network, the group performs reconnaissance and conducts data exfiltration.
The two new variants are not sophisticated in terms of capabilities but provide more information into operations of the hackers, said Michel Coene, a threat hunting and intelligence partner at NVISO.
“Our sample provides additional insights into the actor’s historical operations. For example, as opposed to Mandiant’s samples, ours permitted the identifications of other cloud provider’s usage as well as previous dependencies,” Coene told Information Security Media Group.
A recent report from Mandiant said UNC5221 exploited a buffer overflow Ivanti Connect Secure tracked as CVE-2025-22457. The campaign deployed malware linked to the “SPAWN ecosystem,” a family of custom malware that Mandiant attributed to China-nexus espionage actors (see: Chinese Espionage Group Targeting Legacy Ivanti VPN Devices).
Security firm TeamT5 also uncovered a Chinese hacking campaign that exploited CVE-2025-22457 and another Ivanti flaw tracked as CVE-2025-0282 to deploy SpawnChimera malware. The campaign targeted a number of sectors across Europe, the company said.
NVISO could not establish a “direct link” between Windows BrickStorm samples and Ivanti appliances, but the activities described by Teamt5 align with campaigns observed by Nvision, Coene said.
“Over the last years, continuous exploitation of the VPN appliance has been attributed numerous times to China. This intensive targeting has accounted over the last week for a significant portion of NVISO’s incident response activities,” Coene said.
Virtual private networks and other edge devices often run for months without being rebooted or patched, allowing hackers to work persistently and remain in the target network without detection.
Chinese groups have been increasingly targeting these devices as part of stealth espionage operations, sometimes allowing them to remain in the victim networks undetected for years (see: Sophos Discloses Half Decade of Sustained Chinese Attack).