{"id":363444,"date":"2025-09-25T19:26:58","date_gmt":"2025-09-25T23:26:58","guid":{"rendered":"https:\/\/tech.co\/?p=363444"},"modified":"2025-09-25T19:26:58","modified_gmt":"2025-09-25T23:26:58","slug":"china-linked-hackers-software-suppliers-malware","status":"publish","type":"post","link":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware","title":{"rendered":"A China-Linked Malware Group Is Targeting Software Suppliers"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column]\n<\/p><div class=\"verdict-box inform-box\" data-eventcategory=\"verdictbox\" data-component=\"verdict-box\" data-total-positions=\"3\">\n\n <div class=\"verdict-box-wrap inform-box-wrap\">\n <h3 class=\"verdict-box-title\">Key takeaways<\/h3>\n \n <div class=\"verdict-box-info\">\n<ul>\n<li><strong>Google detected a long-term malware operation<\/strong> by the China-linked UNC5221 group.<\/li>\n<li><strong>The group&rsquo;s malware stayed undetected in victims&rsquo; systems for an average of 393 days<\/strong>.<\/li>\n<li><strong> Stronger authentication protocols<\/strong> might help companies avoid similar attacks in the future.<\/li>\n<\/ul>\n<p>\n<\/p><\/div>\n <\/div>\n\n <div class=\"verdict-box-footer inform-box-buttons\">\n <div class=\"container\">\n <div class=\"row\">\n <\/div>\n <\/div>\n <\/div>\n\n<\/div>\n[vc_column_text css=&rdquo;&rdquo;]\n<p>Another major hacking campaign has been uncovered. Google just revealed a hacker group with links to China has been using <a href=\"https:\/\/tech.co\/news\/dont-download-these-browser-extensions\"><strong>stealth malware<\/strong><\/a> to steal data from US firms, frequently remaining undetected for more than a year.<\/p>\n<p>The targeted companies included those in the SaaS industry, as well as the legal and business outsourcing sectors. Victims suffered from intellectual property theft in addition to unwanted infrastructure access.<\/p>\n<p>The group, called UNC5221, is known for these types of long-term cyberattacks.<\/p>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column width=&rdquo;2\/3&Prime;][vc_column_text css=&rdquo;&rdquo;]<\/p>\n<h2>How UNC5221&rsquo;s Malware Got Access<\/h2>\n<p>According to <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/brickstorm-espionage-campaign\" target=\"_blank\" rel=\"noopener noreferrer\">the announcement<\/a> from the Google-owned Mandiant Incident Response team, the threat actors exploited zero-day vulnerabilities to gain intial access in at least one case.<\/p>\n<p>The primary backdoor was BRICKSTORM, a malware that the Mandiant team found &ldquo;on Linux and BSD-based appliances from multiple manufacturers.&rdquo;<\/p>\n<p>[\/vc_column_text][\/vc_column][vc_column width=&rdquo;1\/3&Prime;]<\/p><p>&nbsp;<\/p>\n<p style=\"text-align: center\"><a class=\"js-aw-brand-link\" href=\"https:\/\/compare.tech.co\/software-deals-live\/\" data-feed=\"XuPuf49GEEm4y0PaIQDZ0dEjkEf760Vv\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-333457\" src=\"https:\/\/images.tech.co\/wp-content\/uploads\/2024\/06\/18114043\/About-Techco-video.jpg\" alt=\"About Tech.co Video Thumbnail Showing Lead Writer Conor Cawley Smiling Next to Tech.co Logo\" width=\"200\" height=\"200\"><\/a><strong>This just in! View<\/strong><br>\n<strong><a href=\"https:\/\/compare.tech.co\/software-deals-live\/\">the top business tech deals<\/a> for 2026 &#128104;&zwj;&#128187;<br>\n<\/strong><a class=\"js-aw-brand-link\" href=\"https:\/\/compare.tech.co\/software-deals-live\/\" data-feed=\"XuPuf49GEEm4y0PaIQDZ0dEjkEf760Vv\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-348272 aligncenter\" src=\"https:\/\/images.tech.co\/wp-content\/uploads\/2024\/09\/09122654\/ok-1.png\" alt=\"See the list button\" width=\"200\" height=\"85\"><\/a><\/p>\n[\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=&rdquo;&rdquo;]\n<p>Since these appliances are &ldquo;often poorly inventoried, not monitored by security teams, and excluded from centralized security logging solutions,&rdquo; malware can more easily avoid detection. Once deployed, BRICKSTORM pivoted to VMware systems in multiple cases, an area that UNC5221 tends to target.<\/p>\n<p>The malware, on average, lasted 393 days before detection.<\/p>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=&rdquo;&rdquo;]<\/p>\n<h2>In Danger: SaaS Companies and Outsourcers<\/h2>\n<p>Mandiant also noted which types of companies were targeted, a list that includes software suppliers and outsourcing companies.<\/p>\n<blockquote><p>&ldquo;Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology. The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.&rdquo; -Mandiant Incident Response<\/p><\/blockquote>\n<p>One common theme was the group&rsquo;s interest in collecting the emails of &ldquo;key individuals&rdquo; at the companies, using Microsoft Entra ID Enterprise Applications in order to gain access to mail across any company inbox.<\/p>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=&rdquo;&rdquo;]<\/p>\n<h2>Staying Safe From Cyberattacks<\/h2>\n<p>How can your own company stay safe down the road? Stronger protocols like <a href=\"https:\/\/tech.co\/cybersecurity\/what-is-multi-factor-authentication\"><strong>multi-factor authentication<\/strong><\/a> can go a long way towards helping.<\/p>\n<p>Google also recommends adopting a TTP-based hunting approach, the term for a proactive security technique that analyzes analyzes the most common TTP &mdash; that&rsquo;s Tactics, Techniques, and Procedures &mdash; that hackers are currently using.<\/p>\n<p>According to Mandiant, this is &ldquo;not only an ideal practice, but a necessity to detect patterns of attack that are unlikely to be detected by traditional signature-based defenses.&rdquo;<\/p>\n<p>Without it, your company might one day wind up finding out UNC5221&rsquo;s malware has been embedded in its systems for months already.<\/p>\n<p>[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Google&#8217;s Mandiant team found the malware BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers.<\/p>\n","protected":false},"author":8412,"featured_media":363445,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"single-sidebar.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-363444","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","col-12"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>A China-Linked Malware Group Is Targeting Software Suppliers<\/title>\n<meta name=\"description\" content=\"When investigating, Google&#039;s Mandiant team found the malware BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A China-Linked Malware Group Is Targeting Software Suppliers\" \/>\n<meta property=\"og:description\" content=\"When investigating, Google&#039;s Mandiant team found the malware BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware\" \/>\n<meta property=\"og:site_name\" content=\"Tech.co\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-25T23:26:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"960\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Adam Rowe\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AdamRRowe\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Adam Rowe\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#article\",\"isPartOf\":{\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware\"},\"author\":{\"name\":\"Adam Rowe\",\"@id\":\"https:\/\/tech.co\/#\/schema\/person\/3739751aacc508123eba8eebb1321292\"},\"headline\":\"A China-Linked Malware Group Is Targeting Software Suppliers\",\"datePublished\":\"2025-09-25T23:26:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware\"},\"wordCount\":554,\"image\":{\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#primaryimage\"},\"thumbnailUrl\":\"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg\",\"keywords\":[\"Privacy and Security\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\/\/tech.co\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware\",\"url\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware\",\"name\":\"A China-Linked Malware Group Is Targeting Software Suppliers\",\"isPartOf\":{\"@id\":\"https:\/\/tech.co\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#primaryimage\"},\"image\":{\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#primaryimage\"},\"thumbnailUrl\":\"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg\",\"datePublished\":\"2025-09-25T23:26:58+00:00\",\"author\":{\"@id\":\"https:\/\/tech.co\/#\/schema\/person\/3739751aacc508123eba8eebb1321292\"},\"description\":\"When investigating, Google's Mandiant team found the malware BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers.\",\"breadcrumb\":{\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#primaryimage\",\"url\":\"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg\",\"contentUrl\":\"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg\",\"width\":1920,\"height\":960,\"caption\":\"Someone types code on a computer in the dark\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/tech.co\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A China-Linked Malware Group Is Targeting Software Suppliers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/tech.co\/#website\",\"url\":\"https:\/\/tech.co\/\",\"name\":\"Tech.co\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/tech.co\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/tech.co\/#\/schema\/person\/3739751aacc508123eba8eebb1321292\",\"name\":\"Adam Rowe\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/tech.co\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6bad71f4a9ff3199d81e4d1a25ac7df69ccb889fba23589c6178ed3f080039af?s=96&d=blank&r=pg\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6bad71f4a9ff3199d81e4d1a25ac7df69ccb889fba23589c6178ed3f080039af?s=96&d=blank&r=pg\",\"caption\":\"Adam Rowe\"},\"description\":\"Adam has been a writer at Tech.co for nine years, covering fleet management and logistics. He has also worked at the logistics newletter Inside Lane, and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' was a 2024 Locus Awards finalist. When not working on his next art collection, he's tracking the latest news on VPNs, POS systems, and the future of tech.\",\"sameAs\":[\"https:\/\/x.com\/AdamRRowe\"],\"url\":\"https:\/\/tech.co\/author\/arrowe\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A China-Linked Malware Group Is Targeting Software Suppliers","description":"When investigating, Google's Mandiant team found the malware BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware","og_locale":"en_US","og_type":"article","og_title":"A China-Linked Malware Group Is Targeting Software Suppliers","og_description":"When investigating, Google's Mandiant team found the malware BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers.","og_url":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware","og_site_name":"Tech.co","article_published_time":"2025-09-25T23:26:58+00:00","og_image":[{"width":1920,"height":960,"url":"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg","type":"image\/jpeg"}],"author":"Adam Rowe","twitter_card":"summary_large_image","twitter_creator":"@AdamRRowe","twitter_misc":{"Written by":"Adam Rowe","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#article","isPartOf":{"@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware"},"author":{"name":"Adam Rowe","@id":"https:\/\/tech.co\/#\/schema\/person\/3739751aacc508123eba8eebb1321292"},"headline":"A China-Linked Malware Group Is Targeting Software Suppliers","datePublished":"2025-09-25T23:26:58+00:00","mainEntityOfPage":{"@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware"},"wordCount":554,"image":{"@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#primaryimage"},"thumbnailUrl":"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg","keywords":["Privacy and Security"],"articleSection":["News"],"inLanguage":"en-US","copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/tech.co\/#organization"}},{"@type":"WebPage","@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware","url":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware","name":"A China-Linked Malware Group Is Targeting Software Suppliers","isPartOf":{"@id":"https:\/\/tech.co\/#website"},"primaryImageOfPage":{"@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#primaryimage"},"image":{"@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#primaryimage"},"thumbnailUrl":"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg","datePublished":"2025-09-25T23:26:58+00:00","author":{"@id":"https:\/\/tech.co\/#\/schema\/person\/3739751aacc508123eba8eebb1321292"},"description":"When investigating, Google's Mandiant team found the malware BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers.","breadcrumb":{"@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#primaryimage","url":"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg","contentUrl":"https:\/\/images.tech.co\/wp-content\/uploads\/2025\/09\/25191229\/dark-computer-typing.jpg","width":1920,"height":960,"caption":"Someone types code on a computer in the dark"},{"@type":"BreadcrumbList","@id":"https:\/\/tech.co\/news\/china-linked-hackers-software-suppliers-malware#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/tech.co\/"},{"@type":"ListItem","position":2,"name":"A China-Linked Malware Group Is Targeting Software Suppliers"}]},{"@type":"WebSite","@id":"https:\/\/tech.co\/#website","url":"https:\/\/tech.co\/","name":"Tech.co","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/tech.co\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/tech.co\/#\/schema\/person\/3739751aacc508123eba8eebb1321292","name":"Adam Rowe","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/tech.co\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6bad71f4a9ff3199d81e4d1a25ac7df69ccb889fba23589c6178ed3f080039af?s=96&d=blank&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6bad71f4a9ff3199d81e4d1a25ac7df69ccb889fba23589c6178ed3f080039af?s=96&d=blank&r=pg","caption":"Adam Rowe"},"description":"Adam has been a writer at Tech.co for nine years, covering fleet management and logistics. He has also worked at the logistics newletter Inside Lane, and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' was a 2024 Locus Awards finalist. When not working on his next art collection, he's tracking the latest news on VPNs, POS systems, and the future of tech.","sameAs":["https:\/\/x.com\/AdamRRowe"],"url":"https:\/\/tech.co\/author\/arrowe"}]}},"_links":{"self":[{"href":"https:\/\/tech.co\/wp-json\/wp\/v2\/posts\/363444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tech.co\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.co\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.co\/wp-json\/wp\/v2\/users\/8412"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.co\/wp-json\/wp\/v2\/comments?post=363444"}],"version-history":[{"count":0,"href":"https:\/\/tech.co\/wp-json\/wp\/v2\/posts\/363444\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tech.co\/wp-json\/wp\/v2\/media\/363445"}],"wp:attachment":[{"href":"https:\/\/tech.co\/wp-json\/wp\/v2\/media?parent=363444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}