Key takeaways
- Google detected a long-term malware operation by the China-linked UNC5221 group.
- The group’s malware stayed undetected in victims’ systems for an average of 393 days.
- Stronger authentication protocols might help companies avoid similar attacks in the future.
Another major hacking campaign has been uncovered. Google just revealed a hacker group with links to China has been using stealth malware to steal data from US firms, frequently remaining undetected for more than a year.
The targeted companies included those in the SaaS industry, as well as the legal and business outsourcing sectors. Victims suffered from intellectual property theft in addition to unwanted infrastructure access.
The group, called UNC5221, is known for these types of long-term cyberattacks.
How UNC5221’s Malware Got Access
According to the announcement from the Google-owned Mandiant Incident Response team, the threat actors exploited zero-day vulnerabilities to gain intial access in at least one case.
The primary backdoor was BRICKSTORM, a malware that the Mandiant team found “on Linux and BSD-based appliances from multiple manufacturers.”
This just in! View
the top business tech deals for 2025 👨💻
Since these appliances are “often poorly inventoried, not monitored by security teams, and excluded from centralized security logging solutions,” malware can more easily avoid detection. Once deployed, BRICKSTORM pivoted to VMware systems in multiple cases, an area that UNC5221 tends to target.
The malware, on average, lasted 393 days before detection.
In Danger: SaaS Companies and Outsourcers
Mandiant also noted which types of companies were targeted, a list that includes software suppliers and outsourcing companies.
“Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology. The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.” -Mandiant Incident Response
One common theme was the group’s interest in collecting the emails of “key individuals” at the companies, using Microsoft Entra ID Enterprise Applications in order to gain access to mail across any company inbox.
Staying Safe From Cyberattacks
How can your own company stay safe down the road? Stronger protocols like multi-factor authentication can go a long way towards helping.
Google also recommends adopting a TTP-based hunting approach, the term for a proactive security technique that analyzes analyzes the most common TTP — that’s Tactics, Techniques, and Procedures — that hackers are currently using.
According to Mandiant, this is “not only an ideal practice, but a necessity to detect patterns of attack that are unlikely to be detected by traditional signature-based defenses.”
Without it, your company might one day wind up finding out UNC5221’s malware has been embedded in its systems for months already.
