Skip to content

Chinese APT Group Uses New Malware for Persistent Network Access

Key Point: UNC5221 deploys multi-layered persistence mechanisms via Microsoft 365 to maintain network access and hinder detection.

The Chinese espionage group UNC5221 infiltrates Microsoft 365 environments with the Brickstorm backdoor and previously undocumented malware variants named Plenet and AgentPSD to secure long-term access to compromised networks.

The Chinese APT group UNC5221 has conducted a campaign in which it deployed various backdoors and malware to gain and maintain unauthorized access to Microsoft 365 environments. In addition to the already known Brickstorm backdoor, the previously undocumented malware variants Plenet and AgentPSD were used.

For CISOs, this activity is relevant because it demonstrates how attackers abuse cloud infrastructure and collaboration platforms as persistence vectors. Microsoft 365 offers attackers large attack surfaces through weak authentication, misconfigured forwarding rules, and insufficiently monitored API access. The use of multiple specialized malware variants indicates a targeted approach against critical infrastructure or high-value targets.

Organizations should actively monitor their Microsoft 365 audit logs, review suspicious mail forwarding and API tokens, enforce multi-factor authentication for all accounts, and quickly investigate suspicious login attempts and unusual admin activities. Analysis of these new malware variants contributes to better detection and defense capabilities.


Source: www.bleepingcomputer.com · Published June 5, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.6.5.

Share on: