Overview:
- Phish Tale of the Week
- UNC5221 Deploys BRICKSTORM Backdoor Against U.S. Legal and Technology Sectors
- Shai-Hulud Worm Compromises 180+ NPM Packages
- How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as Coinbase. They’re sending us a text message, telling us that our Coinbase account was logged into, and we need to call support if it wasn’t us. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to call this number:
- The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I do not have a Coinbase account. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
- The second warning signs in this email is the messaging. This message tries to create a sense of urgency in order to get you to take action by using language such as “If this was not you.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
- The final warning sign for this email is the wording; in our case the smisher suggests we call a random number, something that Coinbase support would never do. All of these factors point to the above being a smishing text, and a very unsophisticated one at that.
General Recommendations:
A smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
- Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
- Do not give out personal or company information over the internet.
- Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
UNC5221 Deploys BRICKSTORM Backdoor Against U.S. Legal and Technology Sectors
A newly detailed cyber-espionage campaign is drawing attention for its persistence and precision. Mandiant and Google’s Threat Intelligence Group (GTIG) have attributed recent intrusions in the United States to UNC5221, a China-aligned threat actor deploying the BRICKSTORM backdoor. The group has been active across multiple high-value industries, including legal services, business process outsourcing firms, technology companies, and SaaS providers, with activity stretching back more than a year.
At the heart of the campaign is BRICKSTORM, a Go-based backdoor engineered to establish covert access and resist detection. Once deployed, it can masquerade as a web server, manipulate the file system, transfer data, execute arbitrary shell commands, and even act as a SOCKS relay to tunnel traffic. Communication with command-and-control servers is carried out over WebSockets, helping the malware blend into ordinary network behavior. In some cases, newer variants have included a “delay” feature, waiting months before contacting their operators to avoid being discovered during initial remediation efforts.
UNC5221 has paired BRICKSTORM with other stealth tools, most notably BRICKSTEAL, a malicious Apache Tomcat filter designed to capture vCenter credentials. Unlike traditional deployments, which require configuration changes and service restarts, this filter was injected directly in memory through a custom dropper. This approach eliminates the need for restarts, reduces visibility, and demonstrates the group’s emphasis on stealth. Another component, a JSP web shell known as SLAYSTYLE or BEEFLUSH, provides a means of executing operating system commands delivered through simple HTTP requests. These capabilities highlight the group’s preference for living quietly within environments rather than deploying noisy, off-the-shelf malware.
Persistence has been a recurring theme in these intrusions. Investigators have observed modifications to startup files such as init.d, rc.local, and systemd services on compromised appliances, ensuring BRICKSTORM survives reboots. On VMware infrastructure, UNC5221 has gone further by cloning Windows Server virtual machines tied to critical systems like domain controllers and identity providers, giving them an alternate path back in even if initial access is cut off. This long-haul approach has translated into dwell times averaging 393 days, underscoring how effective their operational security has been.
The targeting patterns fit within established Chinese cyber-espionage objectives. Legal firms and technology companies hold sensitive information tied to national security and trade, while SaaS providers act as gateways into downstream customer environments. By compromising administrators, developers, and technical staff, UNC5221 gains access to not only valuable communications but also the infrastructure needed to conduct research into new zero-day vulnerabilities. This dual motive, espionage and cyber capability development, represents a serious threat to both national and commercial interests.
Detection has proven difficult because many of the appliances and systems compromised do not support traditional endpoint detection and response tooling. That gap has left defenders struggling to spot lateral movement or credential theft until long after the damage has been done. Google has since released a shell script scanner to help organizations check Linux and BSD appliances for BRICKSTORM indicators, but the campaign illustrates just how much of today’s enterprise environment exists outside standard monitoring tools.
Charles Carmakal, CTO of Mandiant Consulting, summed up the challenge by pointing out that access gained by UNC5221 allows them to pivot into downstream customer networks and potentially discover exploitable flaws in enterprise technologies. The ability to remain in place for over a year, while quietly stealing data and expanding access, highlights just how sophisticated and determined these operators are.
For defenders, the message is clear. Security visibility cannot stop at endpoints alone. Infrastructure such as VPN appliances, VMware environments, and SaaS integrations must be subject to the same level of scrutiny as workstations and servers. Credential hygiene, startup script audits, and continuous hunting for stealthy backdoors are becoming necessary steps in responding to advanced campaigns of this nature. The BRICKSTORM activity shows that highly skilled adversaries will continue exploiting blind spots in enterprise monitoring, and the cost of overlooking these areas is long-term undetected compromise.and PCoIP profiles.
To read more about this article, click here.
Shai-Hulud Worm Compromises 180+ NPM Packages
A new malware outbreak has shaken the open-source ecosystem, with security researchers warning that more than 187 JavaScript packages on the NPM registry were infected by a fast-moving, self-replicating worm. The malware, dubbed Shai-Hulud after the giant sandworms in Frank Herbert’s Dune, has been stealing developer credentials and publishing them to public GitHub repositories.
The worm is unusual in both its aggressiveness and its propagation method. Every time a developer installs an infected package, the malware hunts for NPM authentication tokens stored in the environment. If it finds them, Shai-Hulud modifies the 20 most popular packages tied to that token, implants itself into their code, and pushes a new version of those libraries to NPM. The result is a chain reaction: one infected package leads to dozens of others being compromised, creating the potential for exponential growth.
The outbreak is the latest in a string of incidents affecting NPM, which acts as a critical hub for the global JavaScript ecosystem. Just weeks earlier, phishing campaigns spoofing NPM logins attempted to trick developers into updating their multi-factor authentication settings, while another breach involving the “nx” toolkit planted malware that stole authentication tokens. That attack did not self-propagate, but it foreshadowed the worm-like mechanics of Shai-Hulud.
Researchers at Aikido and StepSecurity found that the worm uses the open-source tool TruffleHog to scan for additional secrets on infected machines, including credentials for GitHub, AWS, Azure, and Google Cloud. The malware then publishes those secrets in newly created GitHub repositories marked with “Shai-Hulud,” where the information is exposed to anyone who stumbles across it.
The worm targets Linux and macOS environments but deliberately skips Windows systems. This focus on developer platforms reflects its intent: compromise the ecosystem at the source, rather than the end users.
Among the victims were several NPM packages associated with CrowdStrike, a leading security vendor. Security platform Socket.dev reported that at least 25 of CrowdStrike’s open-source packages were briefly compromised. CrowdStrike confirmed the intrusion but stressed that its Falcon endpoint detection platform was unaffected. The company said it quickly removed the malicious packages, rotated keys in public registries, and launched an investigation alongside NPM.
Charlie Eriksen of Aikido described the worm as behaving almost like a biological virus. “Once the first person got compromised, there was no stopping it,” he said. “I still see package versions popping up once in a while, but no new packages have been compromised in the last several hours. That could change quickly if another developer inadvertently triggers the spread.”
The worm’s infrastructure appears to have been partially disrupted—researchers noted that the attacker’s data exfiltration endpoint was throttled by rate limits. Still, the worm’s ability to replicate autonomously means the risk of resurgence remains high, especially if “super-spreader” developers with access to widely used packages are compromised.
Experts say the attack shows a great structural weakness in open-source package repositories. Nicholas Weaver of the International Computer Science Institute described it as “a supply chain attack that conducts a supply chain attack.” Weaver urged NPM and similar registries to enforce stricter publishing controls, particularly the use of phish-resistant two-factor authentication for every publication request.
“Allowing automated systems to publish code updates without explicit human verification has become a proven recipe for disaster,” Weaver said. He warned that without systemic changes, attacks like Shai-Hulud will only grow more frequent and disruptive.
To read more about this article, click here.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
