EPISODE · Dec 5, 2025 · 4 MIN
China's Cyber Spies Lurking for Years! Brickstorm Backdoor Rocks Infosec World
from Digital Dragon Watch: Weekly China Cyber Alert · host Inception Point AI
This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, this is Ting here with your Digital Dragon Watch weekly cyber alert. We've had quite the week in the cybersecurity landscape, and trust me, China's been busy. Let me walk you through exactly what's happening and what it means for you. The big story dominating cyber circles right now is called Brickstorm, a backdoor so sophisticated that CISA, the NSA, and the Canadian Centre for Cyber Security just dropped a major joint advisory about it on Thursday. Here's the thing that makes this terrifying: Chinese state-sponsored actors have been using this malware to tunnel into dozens of U.S. organizations, and they're not just passing through. According to Nick Andersen at CISA's Cybersecurity Division, these attackers are embedding themselves for the long haul. We're talking about an average dwell time of 393 days inside networks. That's over a year of undetected presence, which is absolutely wild. What makes Brickstorm especially gnarly is that it targets VMware vSphere environments and Windows systems, and it's written in Golang to be extra stealthy. Austin Larsen, a principal analyst at Google Threat Intelligence Group, tells us that CrowdStrike is tracking the actors behind this as Warp Panda, while others call them UNC5221. They're going after government agencies, IT companies, legal services firms, and even business process outsourcers to get downstream access to their clients. In one incident that CISA responded to, attackers stayed inside a network from April 2024 straight through September 2025. The attack vector here is sneaky. These folks are exploiting edge devices for initial access, then moving laterally through VMware vCenter servers using valid credentials they've stolen. Once inside, they're cloning virtual machine snapshots to extract credentials, creating hidden rogue VMs, and deploying other nasty tools like Junction and GuestConduit implants alongside the main Brickstorm backdoor. The team at CrowdStrike noted that the campaign shows deep knowledge of multi-cloud environments and identity systems. But that's not the only story. Just last Wednesday, AWS threat intelligence teams noticed something else disturbing: within hours of a critical React vulnerability being disclosed on December third, multiple China-linked groups including Earth Lamia and Jackpot Panda were already exploiting it. This vulnerability, tracked as CVE-2025-55182, has a maximum severity score of ten and affects React nineteen and Next.js fifteen and sixteen. These actors are using automated scanning tools with user agent randomization to evade detection, and they're simultaneously exploiting multiple vulnerabilities to maximize their hit rate. What should you do? If you're in critical infrastructure or government, the guidance is crystal clear. Scan your systems immediately using the YARA and Sigma rules CISA released. Inventory all your edge devices because that's where the This content was created in partnership and with the help of Artificial Intelligence AI.
What this episode covers
This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, this is Ting here with your Digital Dragon Watch weekly cyber alert. We've had quite the week in the cybersecurity landscape, and trust me, China's been busy. Let me walk you through exactly what's happening and what it means for you. The big story dominating cyber circles right now is called Brickstorm, a backdoor so sophisticated that CISA, the NSA, and the Canadian Centre for Cyber Security just dropped a major joint advisory about it on Thursday. Here's the thing that makes this terrifying: Chinese state-sponsored actors have been using this malware to tunnel into dozens of U.S. organizations, and they're not just passing through. According to Nick Andersen at CISA's Cybersecurity Division, these attackers are embedding themselves for the long haul. We're talking about an average dwell time of 393 days inside networks. That's over a year of undetected presence, which is absolutely wild. What makes Brickstorm especially gnarly is that it targets VMware vSphere environments and Windows systems, and it's written in Golang to be extra stealthy. Austin Larsen, a principal analyst at Google Threat Intelligence Group, tells us that CrowdStrike is tracking the actors behind this as Warp Panda, while others call them UNC5221. They're going after government agencies, IT companies, legal services firms, and even business process outsourcers to get downstream access to their clients. In one incident that CISA responded to, attackers stayed inside a network from April 2024 straight through September 2025. The attack vector here is sneaky. These folks are exploiting edge devices for initial access, then moving laterally through VMware vCenter servers using valid credentials they've stolen. Once inside, they're cloning virtual machine snapshots to extract credentials, creating hidden rogue VMs, and deploying other nasty tools like Junction and GuestConduit implants alongside the main Brickstorm backdoor. The team at CrowdStrike noted that the campaign shows deep knowledge of multi-cloud environments and identity systems. But that's not the only story. Just last Wednesday, AWS threat intelligence teams noticed something else disturbing: within hours of a critical React vulnerability being disclosed on December third, multiple China-linked groups including Earth Lamia and Jackpot Panda were already exploiting it. This vulnerability, tracked as CVE-2025-55182, has a maximum severity score of ten and affects React nineteen and Next.js fifteen and sixteen. These actors are using automated scanning tools with user agent randomization to evade detection, and they're simultaneously exploiting multiple vulnerabilities to maximize their hit rate. What should you do? If you're in critical infrastructure or government, the guidance is crystal clear. Scan your systems immediately using the YARA and Sigma rules CISA released. Inventory all your edge devices because that's where the This content was created in partnership and with the help of Artificial Intelligence AI.
NOW PLAYING
China's Cyber Spies Lurking for Years! Brickstorm Backdoor Rocks Infosec World
No transcript for this episode yet
Similar Episodes
No similar episodes found.
Similar Podcasts
No similar podcasts found.