DISCLAIMER

Query.ai did not produce this threat report. All credit goes to Sekoia.io’s Threat Detection and Response (TDR) team which published this blog on September 16, 2025. This Threat Hunt is derived from their research, and a portion of the context and background will be copied here for reference, but the original blog can be referenced HERE

Threat Background

In a recent exposé, Google Cloud's threat intelligence teams, Mandiant and TAG, unveiled a sophisticated, global espionage campaign orchestrated by a North Korean government-backed threat actor tracked as UNC-002. Dubbed the "Brickstorm Espionage Campaign," this operation leverages a previously unknown custom backdoor to infiltrate and spy on organizations across a wide spectrum of industries, including media, technology, finance, and government. The campaign’s primary motive is intelligence gathering, making it a critical threat to national security and corporate intellectual property. As detailed in the Google Cloud article, the adversary demonstrates a high level of operational security and patience, often lurking within networks for extended periods before exfiltrating data.

At the heart of this campaign is the BRICKSTORM backdoor, a versatile malware family designed for stealth and persistence. Typically delivered through trojanized versions of legitimate software, BRICKSTORM provides the attacker with a persistent foothold in the victim's environment. Its capabilities are extensive, allowing for remote command execution, file transfers, and dynamic configuration updates. The malware's authors have gone to great lengths to evade detection, employing techniques like masquerading as legitimate system processes and using dynamic DNS services for their command and control (C2) infrastructure, making traditional, signature-based defenses less effective.

Given the sophisticated and evasive nature of this threat, a passive security posture is insufficient. We cannot simply wait for an alert to fire. Instead, we must proactively hunt for evidence of BRICKSTORM within our networks. Threat hunting is a practice grounded in the assumption that we have already been breached; the goal is to find the adversary before they can complete their objectives. This requires moving beyond simple IOCs and adopting a methodology based on the adversary's known tactics, techniques, and procedures (TTPs).

This guide provides a structured, hypothesis-driven approach to hunting for the Brickstorm Espionage Campaign. We will walk through the key stages of the attack lifecycle—from initial execution and persistence to C2 communications—and provide practical, ready-to-use Federated Search Query Language (FSQL) queries. These queries are designed to be run within the Query.ai platform, enabling your security team to federate searches across all relevant data sources like EDR, DNS logs, and firewall traffic from a single interface. By following these steps, you can transform the threat intelligence from Google's report into actionable defense, empowering your team to proactively uncover and mitigate this potent espionage threat before it causes significant damage.

Query Threat Hunting with FSQL

Query uses FSQL (Federated Search Query Language) to hunt for complex threats in an enterprise environment. FSQL's advantage is that it works with the Query Federated Security Data Mesh, so all activity is normalized to a common schema and can access multiple technologies with a single query. This makes hunting for advanced threats like this quicker than traditional hunting methodologies.

All Query Threat Hunting examples follow the Legacy Sqrrl Threat Hunting Maturity Model (THMM) and process. To that end the following hunt fits this category: