YARA rules

Home/BRICKSTORM/YARA rules

YARA

YARA rules for BRICKSTORM

4 rules · scoped to tool · back to BRICKSTORM

YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

◈

4 of 4

direct

MAL_G_APT_Backdoor_BRICKSTORM_3

Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)

author Google Threat Intelligence Group (GTIG) (modified by Florian Roth) license see source repo

view YARA rule

rule MAL_G_APT_Backdoor_BRICKSTORM_3 {
   meta:
      description = "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)"
      author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
      date = "2025-09-25"
      score = 75
      reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
      md5 = "931eacd7e5250d29903924c31f41b7e5"
   strings:
      $str1 = { 48 8B 05 ?? ?? ?? ?? 48 89 04 24 E8 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 04 24 [0-5] E8 ?? ?? ?? ?? EB ?? }
      $str4 = "decompress" ascii  // wide nocase
      $str5 = "MIMEHeader" ascii  // wide nocase
      $str6 = "ResolveReference" ascii  // wide nocase
      $str7 = "115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951" ascii  // wide nocase
   condition:
      uint16(0) == 0x457F and all of them
}

direct

MAL_G_Backdoor_BRICKSTORM_2

Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)

author Google Threat Intelligence Group (GTIG) (modified by Florian Roth) license see source repo

view YARA rule

rule MAL_G_Backdoor_BRICKSTORM_2 {
   meta:
      description = "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)"
      author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
      date = "2025-09-25"
      score = 75
      reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
   strings:
      // $obf_func = /[a-z]{20}\/[a-z]{20}\/[a-z]{20}\/[a-z]{20}.go/
      $decr1 = { 0F B6 4C 04 ?? 0F B6 54 04 ?? 31 D1 88 4C 04 ?? 48 FF C0 [0-4] 48 83 F8 ?? 7C }
      $decr2 = { 40 88 7C 34 34 48 FF C3 48 FF C6 48 39 D6 7D 18 0F B6 3B 48 39 CE 73 63 44 0F B6 04 30 44 31 C7 48 83 FE 04 72 DA }
      $decr3 = { 0F B6 54 0C ?? 0F B6 5C 0C ?? 31 DA 88 14 08 48 FF C1 48 83 F9 ?? 7C E8 }

      $str1 = "main.selfWatcher"
      $str2 = "main.copyFile"
      $str3 = "main.startNew"

      $str4 = "WRITE_LOG=true"
      $str5 = "WRITE_LOGWednesday"
      $str6 = "vami-httpdvideo/webm"
      $str7 = "/opt/vmware/sbin/"
      $str8 = "/home/vsphere-ui/"
      $str9 = "/opt/vmware/sbin/vami-http"
      $str10 = "main.getVFromEnv"
   condition:
      uint32(0) == 0x464c457f
      and filesize < 10MB
      and (
         1 of ($decr*)
         and 1 of ($str*)
         or 5 of ($str*)
      )
}

direct

MAL_G_APT_Backdoor_BRICKSTORM_1

Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)

author Google Threat Intelligence Group (GTIG) (modified by Florian Roth) license see source repo

view YARA rule

rule MAL_G_APT_Backdoor_BRICKSTORM_1 {
   meta:
      description = "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)"
      author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
      date = "2025-09-25"
      score = 75
      reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
      md5 = "4645f2f6800bc654d5fa812237896b00"
   strings:
      $ = "WRITE_LOGWednesday"
      $ = "/home/vsphere-ui/"
      $ = "WRITE_LOG=true"
      $ = "dns rcode: %v"
      $ = "/libs/doh.createDnsMessage"
      $ = "/libs/func1.(*Client).BackgroundRun"
      $ = "/libs/func1.CreateClient"
      $ = "/core/extends/command.CommandNoContext"
      $ = "/core/extends/command.ExecuteCmd"
      $ = "/core/extends/command.RunShell"
      $ = "/libs/fs.(*RemoteDriver).DeleteFile"
      $ = "/libs/fs.(*RemoteDriver).GetFile"
      $ = "/libs/fs.(*RemoteDriver).PutFile"
      $ = "/libs/doh/doh.go"
   condition:
      uint32(0) == 0x464c457f and 5 of them
}

direct

MAL_G_APT_Backdoor_BRICKSTORM_2

Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)

author Google Threat Intelligence Group (GTIG) (modified by Florian Roth) license see source repo

view YARA rule

rule MAL_G_APT_Backdoor_BRICKSTORM_2 {
   meta:
      description = "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)"
      author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
      date = "2025-09-25"
      score = 75
      reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
   strings:
      $str1 = { 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? C6 44 ?? ?? 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? 0F 11 84 ?? ?? ?? ?? ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 04 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 4C ?? ?? E8 ?? ?? ?? ?? 4? 83 7C ?? ?? 00 0F 84 ?? ?? ?? ?? 4? 8D 05 ?? ?? ?? ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 4? 8B 7C ?? ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 47 08 83 3D ?? ?? ?? ?? 00 75 ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 07 4? 89 BC ?? ?? ?? ?? ?? 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? ?? 4? 81 C4 ?? ?? ?? ?? C3 }
      $str2 = { 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 04 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 4C ?? ?? E8 ?? ?? ?? ?? 4? 8B 44 ?? ?? 4? 85 C0 0F 84 ?? ?? ?? ?? 4? 8D 05 ?? ?? ?? ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 4? 8B 44 ?? ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 48 08 8B 0D ?? ?? ?? ?? 85 C9 75 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 08 84 00 4? 89 84 ?? ?? ?? ?? ?? 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 90 E8 ?? ?? ?? ?? 4? 8B ?? ?4 D8 00 00 00 4? 81 C4 E0 00 00 00 C3 }
   condition:
      uint32be(0) == 0x7F454C46 and any of them
}

Showing 1-4 of 4

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin