Google reveals Brickstorm malware ran undetected in US firms for more than a year

Brickstorm malware uncovered

Google security researchers have revealed that a malware strain called Brickstorm secretly operated inside U.S. companies for more than a year.

Public reporting indicates BRICKSTORM primarily targeted U.S. legal services, software-as-a-service (SaaS) providers, business process outsourcers and technology firms, though researchers warn related infrastructure could allow access to other downstream customers.

The discovery highlights how sophisticated cyber campaigns can bypass defenses for long periods, leaving organizations vulnerable to major breaches.

What Brickstorm does?

Brickstorm is designed to gain long-term access to systems by disguising its activity as legitimate network traffic. Once inside, it establishes persistence, collects data, and communicates with attacker-controlled servers.

Security teams describe it as a modular threat, capable of adapting its techniques depending on the target. This flexibility made it difficult for traditional detection tools to recognize, allowing it to remain active across U.S. firms for months without exposure.

Malware’s stealth mimics normal traffic

Analysts found BRICKSTORM uses a modular Go-based backdoor that leverages covert communications (including DNS-over-HTTPS and encrypted channels), unusual file formats and limited-activity windows to blend into routine traffic.

It also provides file-management, tunneling and VM cloning techniques to maintain persistence and move laterally. These measures made the malware appear like routine network behavior.

Google’s investigation

The discovery came through Google’s Threat Analysis Group and Mandiant, which worked together after spotting unusual activity tied to multiple U.S. firms.

Researchers say the campaign achieved long dwell times, averaging roughly 393 days in observed cases, and that Mandiant began responding to BRICKSTORM intrusions in early 2025. These timelines imply many infections likely persisted for a year or more before detection.

Google then coordinated with affected companies to remove the threat. The investigation highlights the importance of global collaboration in tackling long-term cyber campaigns.

Who was targeted?

Brickstorm primarily hit large U.S. firms in industries with valuable intellectual property and sensitive data. Reports suggest energy companies, financial institutions, and technology providers were among those affected.

These sectors are common targets for espionage-driven campaigns. Attackers often seek trade secrets, financial records, or early access to research and development. By silently extracting this information over time, they can gain advantages in markets or provide intelligence to sponsors.

High-level skill in the brickstorm attack

Google and Mandiant have linked BRICKSTORM to a cluster tracked as UNC5221; several analysts describe the activity as ‘China-nexus’ or consistent with state-backed espionage tradecraft, though public reporting stresses attribution remains cautious.

The level of sophistication, the focus on critical sectors, and the ability to remain undetected for over a year suggest more than just criminal motives.

Lessons for companies

The Brickstorm incident underscores the need for stronger security practices. Traditional antivirus tools often fail against stealthy, targeted malware. Experts recommend continuous monitoring, anomaly detection, and frequent security audits.

Companies should also invest in endpoint detection and response systems that track unusual behavior over time. Without these measures, attackers can quietly exploit networks, as Brickstorm did, leaving firms unaware until major damage has already been done.

Why detection failed?

Security analysts point to gaps in monitoring as the main reason Brickstorm went unnoticed. Many organizations rely heavily on signature-based detection, which looks for known malware patterns.

Since Brickstorm used custom code and constantly shifted its techniques, it didn’t trigger those alerts. This blind spot reveals how determined attackers can bypass even well-funded defenses. It also raises concerns about how many other hidden threats may still be active today.

Data at risk

The exact amount of data stolen remains unclear, but experts warn that months of silent access could have given attackers significant troves of sensitive information. This may include financial transactions, proprietary research, or even employee communications.

Such data can be resold, weaponized for competitive advantage, or used to launch further attacks. The scale of potential exposure is a reminder of the lasting damage caused by advanced malware campaigns.

U.S. cybersecurity response

Google and Mandiant say they coordinated with affected organizations. Reporting indicates federal cyber-defense stakeholders have been informed, and analysts expect the disclosure to increase pressure on firms to adopt more rigorous threat-hunting and asset-inventory practices.

In recent years, U.S. authorities have repeatedly warned that critical infrastructure firms remain vulnerable to long-term espionage campaigns from overseas actors. Brickstorm is the latest example validating those concerns.

Global implications

Although the current findings center on U.S. firms, researchers warn Brickstorm could also be affecting organizations abroad. Malware infrastructures are often designed to span regions, allowing attackers to strike multiple countries.

If true, it may only be a matter of time before similar compromises are uncovered elsewhere. This possibility underscores the need for international cooperation, as cyber campaigns of this scale rarely stop at one nation’s borders.

The cost of long-term breaches

Undetected breaches like Brickstorm are often the most damaging because attackers have time to move quietly and gather information. The costs extend far beyond immediate data loss, including reputational damage, regulatory fines, and disrupted operations.

Companies may not even know the full scope of exposure until years later. This delayed impact makes stealth malware one of the most financially and strategically devastating types of cyber threats today.

Parallels with past campaigns

Experts compare Brickstorm to other long-running cyber campaigns such as SolarWinds and APT-style intrusions. In those cases, attackers used advanced techniques to infiltrate systems and remain inside for months or years.

These parallels suggest a growing trend in cyberwarfare, where stealth and persistence are prioritized over quick attacks. Such campaigns can quietly shift competitive and geopolitical balances while leaving victims struggling to rebuild trust and security.

Need for real-time threat intelligence

The discovery of Brickstorm has sparked debate in the cybersecurity industry. Some see it as proof that detection methods must evolve rapidly to counter new threats.

Others argue it highlights a growing imbalance, where attackers need only a single weakness while defenders must secure every layer. Either way, the case has renewed calls for companies and governments to invest more heavily in cyber resilience and real-time threat intelligence.

What firms can do now?

Cybersecurity experts recommend immediate action for organizations that may be at risk. This includes reviewing system logs, applying the latest patches, and checking for unusual outbound traffic that could indicate hidden malware.

Training employees to recognize phishing attempts and tightening access controls are also critical steps. While no defense is perfect, layering protections and adopting proactive monitoring can greatly reduce the chance of another long-term compromise.

Hidden threats don’t wait, and neither should users. Google’s latest Chrome zero-day fix underscores why updating your browser right away is one of the simplest and most effective defenses.

The fight against stealth malware

Brickstorm’s year-long operation inside U.S. firms shows just how difficult it is to stop determined cyber attackers. As detection tools improve, attackers also refine their methods, creating a constant cycle of offense and defense.

For organizations, the key will be resilience: assuming intrusions will happen and preparing to identify them quickly. The exposure of Brickstorm may be just one chapter in a much larger struggle against hidden threats.

Brickstorm is a reminder that attackers often stay hidden for months, making rapid patching critical. Microsoft’s fixes security bug for power pages shows why closing these gaps quickly is essential.

What do you think about this? Let us know in the comments, and don’t forget to leave a like.

Read More From This Brand:

• Steam Game Demo Caught Spreading Malware
• DNS malware could be the next cyberweapon
• Malware hidden in Android apps with 19M installs puts users in danger

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.