1 min read

Chinese APT deploys new malware to keep access to hacked networks

A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.

What happened

Recent reporting highlighted chinese apt deploys new malware to keep access to hacked networks. A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD. An investigation into the incident revealed that the threat actor had gained access to the victim network at least 18 months before detection, and had also compromised the victim organization’s managed services provider (MSP).

Why it matters

This matters because it has practical implications for defensive prioritisation, exposure management, or incident response rather than sitting as abstract security commentary. It also helps frame how defenders should think about attacker adaptation and recurring tradecraft rather than single incidents in isolation.

Assessment

The strongest signal here is the tradecraft pattern and what it says about attacker adaptation, not just the single campaign or disclosure. In practice, that means operators should read this as a broader signal over noise item rather than a narrow one-off.

  • Review whether the issue, advisory, or attack pattern is relevant to your environment, suppliers, or exposed systems
  • Patch, harden, or validate logging and monitoring coverage where applicable
  • Map the observed activity to existing detections and threat-hunting hypotheses instead of tracking it only as narrative reporting
  • Monitor follow-on reporting or primary-source updates for scope expansion, implementation guidance, or stronger enforcement signals

Further reading