F5 BIG-IP Source Code Leak and the BRICKSTORM Backdoor: What You Need to Know

Estimated reading time: 15 minutes

Key Takeaways:

  • F5 BIG-IP source code leak tied to state-linked BRICKSTORM backdoor campaigns.
  • Emergency Directive ED-26-01 issued by CISA, urging immediate patching and hardening of F5 devices.
  • BRICKSTORM backdoor utilizes Yamux for multiplexing streams, enabling stealth egress and internal proxy capabilities.
  • Attackers leverage publicly available repositories, with some codebase originating from Chinese repositories.
  • Organizations must take immediate action to patch, restrict services, and monitor egress traffic.

Table of Contents:

The F5 BIG-IP Breach: A Summary

A recent breach at F5, a company specializing in application delivery networking, has resulted in the leak of portions of its BIG-IP source code. This incident is significant because the leaked code is reportedly tied to state-linked campaigns using the BRICKSTORM backdoor. Understanding the details of this event, the associated risks, and how it might affect your organization is crucial.

In August 2025, F5 detected unauthorized access to its systems. Investigations revealed that the attackers had been present within the network for at least 12 months, gaining access to internal development data, including parts of the BIG-IP source code and vulnerability information. On October 15, 2025, CISA issued Emergency Directive ED-26-01, emphasizing the severity of the threat and ordering federal agencies to urgently inventory, harden, and patch affected F5 devices. The primary concern is the potential for rapid discovery and exploitation of zero-day vulnerabilities in internet-exposed management services.

Technical Analysis of the BRICKSTORM Backdoor

Resecurity was the first to release an analysis of the BRICKSTORM backdoor, linking it to the China-nexus threat cluster UNC5221. The analysis identified several key components:

  • BRICKSTORM Backdoor: A statically linked Go ELF executable designed for appliances with limited userland. It integrates TLS client, HTTP/1.1/HTTP/2 protocols, WebSocket handling, Yamux for multiplexing streams, a SOCKS proxy mechanism, and multipart/form-data support for file staging and exfiltration.
  • Deployment Scripts: Small scripts used to deploy and ensure the backdoor’s persistence on edge devices.
  • Servlet Filter: A web component used to harvest credentials after initial access.

How BRICKSTORM Operates

The attacker deploys an ELF file on the BIG-IP device after gaining initial code execution. This file is configured to establish an outbound TLS connection, negotiate HTTP/2, and upgrade the connection to WebSocket, creating a persistent command and control (C2) tunnel. The malware then uses operator-supplied C2 parameters to multiplex concurrent streams over a single socket via Yamux.

Within this session, the attacker enables a SOCKS-style proxy, allowing them to reach internal applications from the appliance’s management IP. Data is moved using multipart/form-data with base64/quoted-printable encoding and compression, making exfiltration appear as ordinary web traffic. The absence of hardcoded domains or credentials in the ELF file suggests the use of zero-day exploits for initial access.

F5 BIG-IP source code diagram with BRICKSTORM malware injection

The Significance of Yamux

Yamux is a multiplexing library for Golang inspired by SPDY (an experimental protocol introduced by Google in 2009 and deprecated in 2016). Yamux allows multiple logical streams of data to be transmitted over a single connection, such as TCP. This makes network traffic harder to analyze and detect.

The Origin of the Attack Tools

Analysis indicates that the attackers leveraged publicly available repositories, with portions of the codebase possibly originating from repositories maintained in China. Some projects in these repositories are designed to attack user systems.

MITRE ATT&CK Techniques Observed

The attack leverages multiple MITRE ATT&CK techniques:

  • Initial Access: Exploit public-facing applications (T1190) to gain code execution via internet-exposed BIG-IP management services.
  • Execution: Uses malicious files (T1204.002) by launching the ELF backdoor with runtime C2 parameters and native APIs (T1106) to perform system, file, and network operations.
  • Persistence: Creates or modifies system processes (T1543.002) by modifying systemd entries.
  • Defense Evasion: Employs obfuscated files (T1027) using base64/quoted-printable encoding and compression, masquerading (T1036) C2 traffic over HTTP/2 and WebSocket.
  • Credential Access: Modifies authentication processes (T1556) using servlet filters to capture credentials.
  • Lateral Movement: Uses proxying (T1090) via SOCKS to reach internal services and protocol tunneling (T1572) with Yamux.
  • Command & Control: Uses web protocols (T1071.001) such as HTTPS, application layer protocols like WebSocket (T1071.004) for persistent C2, and encrypted channels (T1573) with TLS.
  • Collection & Exfiltration: Collects data from local systems (T1005), archives collected data (T1560) with compression, and exfiltrates over C2 channels (T1041).

Implications and Actions

This incident underscores the critical need for organizations using F5 BIG-IP products to take immediate action. The potential for attackers to turn a BIG-IP device into a stealth egress point and internal proxy with minimal logging and long dwell times poses a significant risk.

F5 has disclosed over twenty vulnerabilities spanning BIG-IP (all modules), F5OS (A/C), and BIG-IP Next (SPK/CNF), with several enabling remote exploitation of internet-exposed management services.

Immediate Steps to Take

  • Patch Immediately: If you operate any affected versions of F5 products, treat this as an emergency. Remove public exposure of management planes, restrict egress, and upgrade to the latest fixed releases.
  • Verify Patching: Confirm that devices no longer match the affected version ranges.
  • Restrict Services: Re-enable only necessary services.
  • Monitor Egress Traffic: Monitor for anomalous HTTP/2/WebSocket egress from appliance subnets.

The Connection to TOLLBOOTH IIS Backdoor and Kernel Rootkit

Another related threat involves Chinese hackers exploiting exposed ASP.NET machine keys to deploy the TOLLBOOTH IIS backdoor and HIDDENDRIVER kernel rootkit. This campaign targets misconfigured Microsoft IIS servers, using publicly exposed machine keys to forge serialized payloads and execute arbitrary commands through ViewState deserialization attacks. The TOLLBOOTH backdoor includes SEO cloaking and webshell capabilities, while the HIDDENDRIVER rootkit hides processes, files, and registry keys from system monitoring tools.

This threat highlights the importance of securing ASP.NET machine keys and monitoring IIS servers for suspicious activity. Elastic and TAMUS identified 571 infected IIS servers worldwide, spanning various industries, with the geographic distribution excluding mainland China.

The SocGholish Malware and Ransomware Delivery

The SocGholish malware, also known as FakeUpdates, is another threat that organizations should be aware of. This malware-as-a-service (MaaS) platform is used by threat actors to compromise websites and deliver ransomware. SocGholish operates by injecting malicious scripts into compromised websites, often targeting vulnerable WordPress sites. This technique is used to distribute ransomware such as RansomHub, which has been linked to recent high-impact healthcare attacks.

Trustwave researchers have found that TA569 offers access to SocGholish infection methods for a fee to other criminal groups, acting as an Initial Access Broker (IAB).

PhantomCaptcha: A Multi-Stage WebSocket RAT Targeting Ukraine

Another campaign, dubbed PhantomCaptcha, involves a multi-stage attack targeting organizations critical to Ukraine’s war relief efforts. This campaign uses emails impersonating the Ukrainian President’s Office, containing weaponized PDFs that lead victims to a fake Cloudflare captcha page. The final payload is a WebSocket RAT hosted on Russian-owned infrastructure, enabling remote command execution, data exfiltration, and potential deployment of additional malware. The infrastructure was only active for a single day, indicating sophisticated planning.

The PhantomCaptcha attack chain involves a fake Cloudflare DDoS protection gateway that attempts to establish a WebSocket connection to the attacker’s server. Victims are then presented with a simulated reCaptcha challenge, instructing them to copy a token and execute it via the Run dialog. The malicious code is executed by the user, evading traditional security controls.

The final payload is a lightweight PowerShell backdoor that connects to a remote WebSocket server, receiving commands and executing them. Infrastructure analysis reveals connections to other malicious IPs and domains. Additionally, a pivot from infrastructure analysis revealed a link to a wider campaign making use of adult-oriented social and entertainment lures, with potential links to Russia/Belarus source development, and a mobile attack vector with fake applications aimed at collecting geolocation, contacts, media files and other data from compromised Android devices.

Actionable Advice for Technical and Non-Technical Readers

Technical Readers:

  • Implement Network Segmentation: Segment your network to limit the lateral movement of attackers.
  • Enhance Monitoring: Implement comprehensive monitoring for HTTP/2 and WebSocket traffic, especially to newly registered domains. Implement underground forum intelligence to monitor for any threat.
  • Review System Hardening: Ensure all systems are hardened according to security best practices, including disabling unnecessary services and restricting access to management interfaces.
  • Utilize Cyber Threat Intelligence Platforms: Leverage cyber threat intelligence platforms to stay informed about emerging threats and vulnerabilities.
  • Implement Real-time Ransomware Intelligence: Employ real-time ransomware intelligence to detect and prevent ransomware attacks.
  • Consider a Breach Detection System: Implement a breach detection system to identify and respond to unauthorized access attempts.

Non-Technical Readers (Business Leaders):

  • Prioritize Security Investments: Allocate sufficient resources to cybersecurity, including training, tools, and personnel.
  • Ensure Incident Response Readiness: Develop and regularly test incident response plans to effectively manage security incidents.
  • Promote Security Awareness: Conduct regular security awareness training for all employees, emphasizing the risks of social engineering and phishing attacks.
  • Review and Update Security Policies: Regularly review and update security policies to address emerging threats and ensure compliance with industry standards.
  • Implement Supply-Chain Risk Monitoring: Monitor your supply chain for security risks to prevent attacks that exploit vulnerabilities in third-party vendors.
  • Brand Leak Alerting: Implement brand leak alerting to quickly detect and respond to data breaches involving sensitive company information.

PurpleOps and Cyber Threat Intelligence

PurpleOps offers a range of services to help organizations protect against these types of threats. Our capabilities in cyber threat intelligence platform, real-time ransomware intelligence, dark web monitoring service, telegram threat monitoring, live ransomware API, breach detection, supply-chain risk monitoring, underground forum intelligence, and brand leak alerting can provide enhanced visibility and proactive defense against sophisticated attacks.

Next Steps

To learn more about how PurpleOps can help your organization enhance its security posture, visit our website to explore our platform and services. Consider our specialized offerings like red team operations, penetration testing, supply chain information security, ransomware protection, and dark web monitoring. For further information, please contact us.

FAQ