Overview
The China-nexus threat cluster UNC5221 is actively targeting organizations that deploy F5 BIG-IP after a confirmed breach of F5 in which a nation-state actor stole internal development data, including portions of BIG-IP source code and vulnerability information. On October 15, 2025, CISA issued Emergency Directive ED-26-01, warning of an imminent threat to federal networks and ordering urgent inventory, hardening, and patching of affected F5 devices. The stolen code raises the risk of rapid 0-day discovery and weaponization against internet-exposed management services.
F5 revealed that attackers, discovered on its systems on August 9 and informed customers that the hackers remained in the company’s network for at least 12 months as reported by Bloomberg. The announcement follows authorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.
The vendor stated that it is not aware of any undisclosed critical or remote code execution vulnerabilities that could have been exploited by the attackers, and there is no evidence that any non-public flaws were used in actual attacks.
According to an 8-K form filed with the Securities and Exchange Commission, the company first became aware of unauthorized access Aug. 9 and initiated standard incident response measures, including enlisting external cybersecurity consultants. In September, the Department of Justice permitted F5 to withhold public disclosure of the breach, which the government allows if a breach is determined to be a “a substantial risk to national security or public safety.”
Technical Details
Resecurity is the first to release the BRICKSTORM backdoor analysis, providing additional details on the involvement of threat actors from China. During our investigation, our team collected multiple artifacts associated with UNC5221’s appliance-focused tradecraft. The most relevant items preserved in evidence include:
- A statically linked Go ELF backdoor consistent with the BRICKSTORM family
- Small deployment scripts used to stage and persist the backdoor on edge devices.
- A servlet filter web component used by the same actor set to harvest credentials post-foothold.
Our analysis below is anchored in static/dynamic review of those artifacts:
The backdoor is a self-contained, dependency-free executable (Go, linux/amd64) packaged for appliances with limited userland; it embeds full web transport (TLS client, HTTP/1.1/HTTP/2 paths, WebSocket upgrade/session handling), Yamux for multiplexing many logical streams over one socket, a SOCKS mechanism for TCP pivoting, and a complete multipart/form-data stack for web-looking file staging/exfil.
Yamux is a multiplexing library for Golang. It relies on an underlying connection to provide reliability and ordering, such as TCP or Unix domain sockets, and provides stream-oriented multiplexing.