{ "name": "F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using BRICKSTORM Backdoor", "slug": "f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor", "description": "A China-linked threat cluster, UNC5221, is actively targeting organizations using F5 BIG-IP following a confirmed breach of F5's internal development data. The stolen data includes portions of BIG-IP source code and vulnerability information, raising the risk of rapid 0-day discovery and weaponization. CISA issued an Emergency Directive warning of an imminent threat to federal networks. The attackers deployed a Go-based ELF backdoor called BRICKSTORM, which establishes a persistent C2 tunnel using WebSocket and employs various techniques to evade detection. The backdoor can turn a BIG-IP device into a stealth egress point and internal proxy. F5 has disclosed over twenty vulnerabilities affecting various products, urging immediate patching and security measures.", "published": "2025-10-24T09:09:04+00:00", "created_at": "2025-10-24T09:09:04+00:00", "modified_at": "2025-10-24T09:48:46+00:00", "created_at_opencti": "2025-10-24T09:09:04+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-10-24", "brickstorm", "f5 big-ip" ], "related_entities": { "observables": [ { "id": "", "name": "aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878" }, { "id": "", "name": "90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035" }, { "id": "", "name": "2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df" } ], "malware": [ { "id": "legacy:malware:8c28b3b1f08920d7", "name": "BRICKSTORM", "slug": "brickstorm" } ], "intrusion_sets": [ { "id": "41cc2f91-0fc5-471e-86bf-579f7d1d09de", "name": "UNC5221", "slug": "unc5221" } ], "attack_patterns": [ { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2025-61990" }, { "id": "", "name": "CVE-2025-61935" }, { "id": "", "name": "CVE-2025-58071" }, { "id": "", "name": "CVE-2025-57780" }, { "id": "", "name": "CVE-2025-61974" }, { "id": "", "name": "CVE-2025-61960" }, { "id": "", "name": "CVE-2025-61955" }, { "id": "", "name": "CVE-2025-61951" }, { "id": "", "name": "CVE-2025-61938" }, { "id": "", "name": "CVE-2025-60016" }, { "id": "", "name": "CVE-2025-59781" }, { "id": "", "name": "CVE-2025-59478" }, { "id": "", "name": "CVE-2025-58120" }, { "id": "", "name": "CVE-2025-58096" }, { "id": "", "name": "CVE-2025-55669" }, { "id": "", "name": "CVE-2025-55036" }, { "id": "", "name": "CVE-2025-54858" }, { "id": "", "name": "CVE-2025-54854" }, { "id": "", "name": "CVE-2025-54479" }, { "id": "", "name": "CVE-2025-53868" }, { "id": "", "name": "CVE-2025-53856" }, { "id": "", "name": "CVE-2025-53521" }, { "id": "", "name": "CVE-2025-53474" }, { "id": "", "name": "CVE-2025-48008" }, { "id": "", "name": "CVE-2025-46706" }, { "id": "", "name": "CVE-2025-41430" }, { "id": "", "name": "CVE-2025-61882" } ], "others": [ { "id": "", "name": "United States of America" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor", "https://otx.alienvault.com/pulse/68fb5e503fa25f51c259d28e" ] }