Chinese APT deploys new malware to keep access to hacked networks

A Chinese advanced persistent threat group, UNC5221, has been utilizing a combination of known and newly discovered malware to maintain access to compromised networks, specifically targeting Microsoft 365 environments. The group's arsenal includes the Brickstorm backdoor, as well as the previously undocumented Plenet and AgentPSD malware. This state-aligned activity signifies a shift in the threat model, from traditional criminal motivations to geopolitical ones, requiring a distinct approach to mitigation and defense. The use of such targeted malware allows the group to persist in compromised networks, potentially exfiltrating sensitive information. The involvement of a nation-state actor in these attacks introduces an additional layer of complexity, as the motivations and goals of the attacker may differ significantly from those of traditional cybercrime groups¹. This development matters to security practitioners as it necessitates a reassessment of their threat models and defensive strategies to account for the unique characteristics of state-sponsored attacks.