Widely attributedUnknownUNC5221
China-nexus cyber-espionage actor tracked by Mandiant since 2023, known for zero-day exploitation of Ivanti and VMware edge devices. Deploys BRICKSTORM and SPAWN malware families for long-term persistent access, averaging 393 days undetected in victim environments. Distinct from Silk Typhoon despite overlap in reporting.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
5 mentions · 3 sources"These groups, such as UNC5221 and UNC3886, continued to focus heavily on security appliances and edge devices to maintain persistent access to strategic targets."
"A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD."
"UNC5221 is also tracked as VerdantBamboo and has been involved in attacks that exploited zero-day vulnerabilities in edge devices since at least 2023."
"we assess to be part of UNC5221's SPAWN toolset targeting Ivanti VPN appliances"
"campaigns from actors such as UNC3886 and UNC5221 highlight how the targeting of edge devices and appliances as a means of initial access has increased as a tactic by China-nexus threat actors"
Hedge terms observed