Article Banner

F5 BIG-IP CVE-2025-53521: BRICKSTORM Backdoor and Nation-State Exploitation

Published on March 30, 2026 | By Focused Hunts

A critical security flaw in F5 BIG-IP network appliances is under active attack by a nation-state group linked to China. The vulnerability, originally classified as a lower-severity issue, was reclassified as a remote code execution flaw after investigators discovered attackers had stolen the manufacturer's source code and used that knowledge to build custom attack tools. Over 240,000 of these appliances are exposed to the internet worldwide.

Think of this attack as a locksmith stealing the master blueprint for a building's security system, then returning months later to exploit weaknesses only visible in the design documents. The attackers used stolen source code to develop a custom backdoor that operates entirely in memory, leaving no traces on the device's storage for defenders to find.

Organizations running unpatched BIG-IP appliances face persistent unauthorized access, credential theft, and network infiltration. Compromised devices become invisible relay points, allowing attackers to tunnel deeper into internal networks and harvest login credentials from connected systems. Federal agencies face a mandatory patching deadline, and private sector organizations should treat this as an immediate priority.

Hunting Controls & Observations

Organizations can detect this threat through multiple telemetry sources:

  • Endpoint/Appliance Controls: BIG-IP system logs, file integrity monitoring (baseline comparison for /usr/bin/umount and /usr/sbin/httpd), process monitoring, systemd service audit
  • Network Controls: Firewall logs, SSL/TLS inspection (ALPN h2 negotiation), HTTP/S traffic analysis (HTTP 201 + CSS content-type patterns), WebSocket session monitoring, proxy logs
  • Identity & Access Controls: BIG-IP restjavad-audit logs for iControl REST API access, Linux auditd logs for SELinux modification attempts, authentication logs for local account activity
  • Infrastructure Controls: Configuration management and drift detection, BIG-IP version inventory against patched versions (17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8), network segmentation verification for management interfaces

Behavioral Indicators of Attack

The following behavioral indicators distinguish this campaign from legitimate network appliance activity:

  • In-memory webshell execution on BIG-IP appliances without corresponding file artifacts on disk, evading traditional file-based detection
  • System integrity checker modification: Changes to sys-eicheck that prevent the BIG-IP platform from detecting file tampering
  • SELinux disablement via REST API calls originating from localhost, indicating post-exploitation privilege escalation
  • Outbound HTTP/S traffic with HTTP 201 response codes and CSS content-type headers from BIG-IP appliances, masking command-and-control communications as normal web responses
  • Anomalous HTTP/2 or WebSocket connections from appliance management interfaces using ALPN h2 TLS negotiation to external IP addresses
  • Long-lived bidirectional WebSocket sessions from BIG-IP management IP ranges, indicating persistent BRICKSTORM tunneling via Yamux multiplexing
  • API reconnaissance requests targeting /mgmt/shared/identified-devices/config/device-info to enumerate system information before exploitation
  • Binary hash mismatches for /usr/bin/umount and /usr/sbin/httpd compared to vendor-supplied baseline versions

MITRE Enterprise ATT&CK Tactics and Techniques

This campaign maps to 13 MITRE ATT&CK techniques spanning the full attack lifecycle:

  • Initial Access (T1190 – Exploit Public-Facing Application): UNC5221 exploits CVE-2025-53521 in BIG-IP APM virtual servers configured with access policies. The unauthenticated RCE targets the apmd process, which handles live traffic, enabling code execution without credentials.
  • Execution (T1106 – Native API): The BRICKSTORM backdoor leverages native OS and network APIs through its Go/Rust runtime to execute commands, manage files, and establish network connections on compromised appliances.
  • Persistence (T1543.002 – Create or Modify System Process: Systemd Service): BRICKSTORM creates systemd unit files for automatic startup on boot, ensuring persistence survives appliance reboots with minimal forensic artifacts.
  • Persistence / Defense Evasion (T1078 – Valid Accounts): Attackers leverage legitimate local user accounts to access the iControl REST API from localhost, blending malicious activity with normal administrative operations.
  • Defense Evasion (T1027 – Obfuscated Files or Information): C2 communications use multipart/form-data encoding with base64 and quoted-printable wrapping, combined with compression to evade content inspection systems.
  • Defense Evasion (T1036 – Masquerading): Outbound C2 traffic disguises itself using HTTP 201 response codes with CSS content-type headers, and HTTP/2 with WebSocket protocols to mimic legitimate application traffic.
  • Credential Access (T1556 – Modify Authentication Process): BRICKSTORM harvests credentials through servlet filter web components deployed on adjacent infrastructure such as vCenter, intercepting authentication tokens during legitimate login processes.
  • Command and Control (T1071.001 – Application Layer Protocol: Web Protocols): Primary C2 communication uses HTTPS with HTTP/2 negotiation, establishing encrypted channels that blend with legitimate web traffic.
  • Command and Control (T1572 – Protocol Tunneling): BRICKSTORM implements Yamux multiplexing for concurrent logical streams over a single socket, enabling efficient multi-channel C2 through a single connection.
  • Command and Control (T1573 – Encrypted Channel): All C2 communications are TLS-encrypted with ALPN h2 negotiation, preventing inspection of command-and-control traffic.
  • Command and Control (T1090 – Proxy): Compromised BIG-IP devices serve as SOCKS-style TCP proxies, transforming appliances into stealth egress points for lateral movement across internal networks.
  • Collection (T1005 – Data from Local System): Collected data is staged locally using multipart encoding before exfiltration, targeting configuration files, credentials, and system information.
  • Exfiltration (T1041 – Exfiltration Over C2 Channel): Data exfiltration occurs over the established TLS/WebSocket C2 channel, avoiding additional network connections that might trigger detection.

Controls' Observables

Endpoint and Appliance Controls

File integrity monitoring and appliance audit tools can identify the following indicators:

  • Unexpected file artifacts: Presence of /run/bigtlog.pipe and /run/bigstart.ltm on BIG-IP file systems (Related: T1543.002; Detection Difficulty: MEDIUM)
  • Core binary tampering: Hash, file size, or timestamp mismatches for /usr/bin/umount and /usr/sbin/httpd compared to vendor-supplied baselines (Related: T1036; Detection Difficulty: MEDIUM)
  • Web shell deployment: Modified PHP files in /var/sam/www/webtop/renderer/ directory not matching known-good configuration (Related: T1505.003; Detection Difficulty: MEDIUM)
  • Persistence artifacts: Unexpected systemd unit files indicating BRICKSTORM auto-start configuration (Related: T1543.002; Detection Difficulty: MEDIUM)
  • Integrity checker failure: sys-eicheck failures or modifications that disable the BIG-IP platform's built-in tamper detection (Related: T1562.001; Detection Difficulty: LOW)

Network Controls

Network monitoring and traffic analysis can detect BRICKSTORM's distinctive communication patterns:

  • C2 camouflage traffic: HTTP/S traffic from BIG-IP appliances containing HTTP 201 response codes with CSS content-type headers (Related: T1071.001, T1036; Detection Difficulty: HIGH)
  • Anomalous protocol negotiation: ALPN h2 TLS connections originating from appliance management interfaces to external IP addresses (Related: T1573; Detection Difficulty: HIGH)
  • Persistent tunneling sessions: Long-lived WebSocket connections from BIG-IP management IP ranges indicating Yamux-multiplexed C2 channels (Related: T1572; Detection Difficulty: HIGH)
  • Internal proxy traffic: SOCKS-style TCP proxy activity originating from appliance management subnets toward internal resources (Related: T1090; Detection Difficulty: MEDIUM)
  • Encoded exfiltration: Outbound multipart/form-data requests with base64 or quoted-printable encoding from appliance IPs (Related: T1041; Detection Difficulty: HIGH)

Identity and Access Controls

Authentication and audit log monitoring provides critical detection opportunities:

  • Local REST API abuse: iControl REST API access from 127.0.0.1 or localhost by local user accounts recorded in /var/log/restjavad-audit.*.log (Related: T1078; Detection Difficulty: MEDIUM)
  • Security module tampering: SELinux disablement attempts via REST API recorded in /var/log/auditd/audit.log.* (Related: T1562.001; Detection Difficulty: MEDIUM)
  • Reconnaissance via API: Unexpected requests to /mgmt/shared/identified-devices/config/device-info returning system information (Related: T1082; Detection Difficulty: LOW)
  • Credential interception: Servlet filter modifications on adjacent systems (e.g., vCenter) harvesting authentication tokens during login flows (Related: T1556; Detection Difficulty: HIGH)

Infrastructure Controls

Asset management and configuration monitoring provide baseline detection:

  • Vulnerable version inventory: BIG-IP APM systems running affected versions (17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10) without patches applied (Related: T1190; Detection Difficulty: LOW)
  • Management interface exposure: BIG-IP management interfaces accessible from the public internet without ACL restrictions (Related: T1190; Detection Difficulty: LOW)
  • Configuration drift: Unauthorized changes to BIG-IP configuration compared to change management baseline (Related: T1543.002; Detection Difficulty: LOW)

Insights and Recommendation

Organizations compromised through CVE-2025-53521 face long-term persistent access by a nation-state actor with demonstrated capability to remain undetected for 12 months or more. Compromised BIG-IP appliances become invisible proxy points that enable attackers to tunnel into internal networks, harvest credentials from adjacent systems like vCenter, and exfiltrate sensitive data through encrypted channels. The in-memory webshell technique means traditional file-based forensics will miss active compromise; defenders must correlate log-based and network-based indicators to identify affected systems.

Security teams should immediately verify BIG-IP APM patch status against fixed versions (17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8) and check for indicators of prior compromise using F5's published IOC checklist before applying patches. Implement network monitoring for anomalous HTTP/2 and WebSocket traffic originating from appliance management interfaces, and audit iControl REST API logs for unexpected localhost access patterns. Organizations should restrict BIG-IP management interfaces from direct internet exposure, deploy CISA/NSA BRICKSTORM YARA and Sigma detection rules across endpoint and network monitoring platforms, and preserve forensic evidence including memory dumps, full disk images, and log archives before remediation to enable thorough incident investigation.

Source and Credits

This summary is based on F5's security advisory "K000156741: BIG-IP APM Vulnerability CVE-2025-53521" and supplementary intelligence from multiple sources:

Threat Hunting IOCs & Queries

Known Indicators of Compromise

The following indicators are associated with BRICKSTORM backdoor deployment and CVE-2025-53521 exploitation. IOCs are current as of March 30, 2026. Threat actors frequently rotate infrastructure; use behavioral queries for persistent detection.

  • File Hashes (SHA-256):
    • 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 (Pg_update; BRICKSTORM ELF backdoor)
    • 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df (Listener; BRICKSTORM C2/socket handler)
    • aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 (Vmprotect; BRICKSTORM variant)
  • Suspicious File Paths:
    • /run/bigtlog.pipe (unexpected named pipe)
    • /run/bigstart.ltm (unexpected control file)
    • /var/sam/www/webtop/renderer/*.php (modified webshell files)
  • Log Indicators:
    • /var/log/restjavad-audit.*.log (local user iControl REST API access from localhost)
    • /var/log/auditd/audit.log.* (SELinux disablement attempts)
  • Scanning Endpoint: /mgmt/shared/identified-devices/config/device-info (reconnaissance target)
  • Malware Identifier: c05d5254 (F5-designated malicious software classification)

BIG-IP Management Interface Reconnaissance Detection

Behavior Targeted: External scanning and probing of BIG-IP REST API endpoints, specifically /mgmt/shared/identified-devices/config/device-info, used by attackers to enumerate system information before exploitation.
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1082 (System Information Discovery)
Expected Results: Events showing HTTP requests to BIG-IP management API endpoints from unexpected source IPs, indicating reconnaissance or active exploitation attempts.
False Positive Likelihood: LOW. The /mgmt/ path is administrative and should not receive external requests. Internal monitoring tools accessing this endpoint can be baselined and excluded.
Tuning Guidance: Adjust source IP exclusions for known management stations and monitoring tools. Expand URI patterns to include other F5 management paths if broader coverage is desired.

Splunk SPL Query

index=network sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype=firewall
    earliest=-7d
    dest_port=443 OR dest_port=8443
    uri_path="*/mgmt/shared/identified-devices/config/device-info*"
    OR uri_path="*/mgmt/tm/*"
    OR uri_path="*/tmui/login.jsp*"
| eval is_external=if(cidrmatch("10.0.0.0/8", src_ip) OR cidrmatch("172.16.0.0/12", src_ip) OR cidrmatch("192.168.0.0/16", src_ip), "internal", "external")
| search is_external="external"
| stats count, values(uri_path) as targeted_paths, earliest(_time) as first_seen, latest(_time) as last_seen by src_ip, dest_ip
| where count > 3
| table first_seen, last_seen, src_ip, dest_ip, targeted_paths, count
| sort - count

// TUNING: Adjust count threshold (currently >3) based on expected legitimate traffic
// TUNING: Add known scanner IPs to exclusion list
// TUNING: Modify dest_port to match your BIG-IP management port configuration

Microsoft KQL Query (Defender/Sentinel)

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (443, 8443)
| where RemoteUrl has_any ("/mgmt/shared/identified-devices/config/device-info", "/mgmt/tm/", "/tmui/login.jsp", "/tmui/system/")
| where ActionType == "ConnectionSuccess"
| summarize
    RequestCount = count(),
    TargetedPaths = make_set(RemoteUrl),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, RemoteIP, LocalIP
| where RequestCount > 3
| project FirstSeen, LastSeen, DeviceName, LocalIP, RemoteIP, TargetedPaths, RequestCount
| order by RequestCount desc

// TUNING: Adjust RequestCount threshold (currently >3) based on environment baseline
// TUNING: Add known management stations to exclusion with where RemoteIP !in ("x.x.x.x")
// NOTE: For Sentinel environments, substitute CommonSecurityLog if using firewall connector

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Anomalous HTTP 201 with CSS Content-Type (C2 Camouflage)

Behavior Targeted: BRICKSTORM's C2 communication pattern uses HTTP 201 response codes with CSS content-type headers to disguise command-and-control traffic as legitimate web responses.
MITRE ATT&CK: T1071.001 (Application Layer Protocol: Web Protocols), T1036 (Masquerading)
Expected Results: Outbound HTTP/S traffic from BIG-IP appliances showing HTTP 201 (Created) responses combined with CSS content-type, indicating potential C2 camouflage.
False Positive Likelihood: LOW. HTTP 201 responses with CSS content-type is an unusual combination rarely seen in legitimate traffic.
Tuning Guidance: Baseline normal BIG-IP traffic patterns first. Exclude known CDN or CSS delivery endpoints. Requires TLS inspection or proxy log visibility for HTTPS traffic.

Splunk SPL Query

index=proxy OR index=network sourcetype="squid" OR sourcetype="bluecoat:proxysg:access:syslog" OR sourcetype="zscaler" OR sourcetype="pan:traffic"
    earliest=-7d
    http_status=201
    http_content_type="*css*"
| eval is_bigip_source=if(cidrmatch("YOUR_BIGIP_SUBNET/24", src_ip), "yes", "no")
| search is_bigip_source="yes"
| stats count, values(dest_ip) as dest_ips, values(url) as urls by src_ip, http_content_type
| where count > 5
| table _time, src_ip, dest_ips, urls, http_content_type, count
| sort - count

// TUNING: Replace YOUR_BIGIP_SUBNET/24 with your actual BIG-IP management subnet
// TUNING: Adjust count threshold (currently >5) based on traffic volume
// FALSE POSITIVES: Dynamic CSS generators or CDN traffic may match; verify dest_ip reputation

Microsoft KQL Query (Defender/Sentinel)

CommonSecurityLog
| where TimeGenerated > ago(7d)
| where SourceIP in ("YOUR_BIGIP_MGMT_IP1", "YOUR_BIGIP_MGMT_IP2")
| where DestinationPort == 443
| where RequestMethod == "POST" or RequestMethod == "GET"
| where AdditionalExtensions has "201" and AdditionalExtensions has "css"
| summarize
    ConnectionCount = count(),
    DistinctDestinations = dcount(DestinationIP),
    DestIPs = make_set(DestinationIP)
    by SourceIP, DeviceVendor
| where ConnectionCount > 5
| project SourceIP, DestIPs, DistinctDestinations, ConnectionCount, DeviceVendor
| order by ConnectionCount desc

// TUNING: Replace YOUR_BIGIP_MGMT_IP values with actual BIG-IP management IPs
// TUNING: Adjust ConnectionCount threshold based on normal traffic patterns
// NOTE: Requires proxy or firewall logs forwarded to Sentinel via CommonSecurityLog

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

iControl REST API Localhost Access Detection

Behavior Targeted: Attackers with shell access on compromised BIG-IP systems access the iControl REST API from localhost using local user accounts for privilege escalation and SELinux disablement.
MITRE ATT&CK: T1078 (Valid Accounts), T1562.001 (Impair Defenses: Disable or Modify Tools)
Expected Results: Log entries showing REST API access from 127.0.0.1 or localhost by local user accounts, particularly requests modifying security configurations.
False Positive Likelihood: MEDIUM. Legitimate BIG-IP automation scripts access the REST API locally. Baseline normal patterns and filter known service accounts.
Tuning Guidance: Establish baseline of normal local REST API access. Add known automation service accounts to exclusion lists. Focus on API calls that modify security settings such as SELinux or authentication modules.

Splunk SPL Query

index=network sourcetype="syslog" OR sourcetype="f5:bigip:syslog"
    earliest=-14d
    ("restjavad-audit" OR "iControl" OR "REST")
    ("127.0.0.1" OR "localhost")
| rex field=_raw "user=(?<api_user>[^\s,]+)"
| rex field=_raw "(?<api_method>GET|POST|PUT|PATCH|DELETE)\s+(?<api_path>/[^\s]+)"
| where isnotnull(api_user) AND isnotnull(api_path)
| eval suspicious=if(match(api_path, "selinux|security|auth|sys-eicheck"), "HIGH", "MEDIUM")
| stats count, values(api_method) as methods, values(api_path) as api_paths, values(suspicious) as risk_level by api_user, host
| where count > 10
| table _time, host, api_user, methods, api_paths, risk_level, count
| sort - count

// TUNING: Adjust count threshold (currently >10) based on normal API activity
// TUNING: Add known automation accounts to exclusion list
// TUNING: Expand suspicious path patterns for additional sensitive endpoints
// REQUIRES: BIG-IP restjavad-audit log forwarding via syslog

Microsoft KQL Query (Defender/Sentinel)

Syslog
| where TimeGenerated > ago(14d)
| where SyslogMessage has_any ("restjavad-audit", "iControl", "REST")
| where SyslogMessage has_any ("127.0.0.1", "localhost")
| extend ApiUser = extract("user=([^\\s,]+)", 1, SyslogMessage)
| extend ApiMethod = extract("(GET|POST|PUT|PATCH|DELETE)\\s+(/[^\\s]+)", 1, SyslogMessage)
| extend ApiPath = extract("(GET|POST|PUT|PATCH|DELETE)\\s+(/[^\\s]+)", 2, SyslogMessage)
| where isnotempty(ApiUser) and isnotempty(ApiPath)
| extend RiskLevel = iff(ApiPath has_any ("selinux", "security", "auth", "sys-eicheck"), "HIGH", "MEDIUM")
| summarize
    RequestCount = count(),
    Methods = make_set(ApiMethod),
    Paths = make_set(ApiPath),
    RiskLevels = make_set(RiskLevel)
    by ApiUser, HostName
| where RequestCount > 10
| project HostName, ApiUser, Methods, Paths, RiskLevels, RequestCount
| order by RequestCount desc

// TUNING: Adjust RequestCount threshold (currently >10) based on normal API usage
// TUNING: Add known automation service accounts to exclusion with where ApiUser !in ("known_svc")
// REQUIRES: BIG-IP syslog forwarding to Sentinel via Syslog connector

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

BRICKSTORM Long-Lived Tunnel Detection (WebSocket/HTTP2)

Behavior Targeted: BRICKSTORM establishes persistent C2 channels using HTTP/2 with WebSocket upgrade and Yamux multiplexing. This query identifies anomalous long-lived outbound connections from BIG-IP management interfaces.
MITRE ATT&CK: T1572 (Protocol Tunneling), T1573 (Encrypted Channel), T1071.001 (Application Layer Protocol)
Expected Results: Long-duration outbound connections from BIG-IP management IPs with session lengths exceeding 30 minutes to external destinations, indicating persistent C2 tunneling.
False Positive Likelihood: MEDIUM. Legitimate admin sessions and monitoring tools create persistent connections. Baseline management interface connection patterns and exclude known destinations.
Tuning Guidance: Adjust connection duration threshold based on normal management interface session lengths. Add known monitoring tool destinations and update server IPs to exclusion lists.

Splunk SPL Query

index=network sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype=firewall
    earliest=-7d
    src_ip IN ("YOUR_BIGIP_MGMT_IP1", "YOUR_BIGIP_MGMT_IP2")
    action=allowed
    dest_port=443
| eval duration_minutes=round(duration/60, 2)
| where duration_minutes > 30
| eval is_internal_dest=if(cidrmatch("10.0.0.0/8", dest_ip) OR cidrmatch("172.16.0.0/12", dest_ip) OR cidrmatch("192.168.0.0/16", dest_ip), "internal", "external")
| search is_internal_dest="external"
| stats count, avg(duration_minutes) as avg_duration, max(duration_minutes) as max_duration, values(dest_ip) as dest_ips, sum(bytes_out) as total_bytes_out by src_ip
| where count > 3
| table src_ip, dest_ips, count, avg_duration, max_duration, total_bytes_out
| sort - max_duration

// TUNING: Replace YOUR_BIGIP_MGMT_IP values with actual management IPs
// TUNING: Adjust duration_minutes threshold (currently >30 min) based on normal session lengths
// TUNING: Adjust count threshold (currently >3) for sensitivity
// FALSE POSITIVES: Software updates, backup transfers, legitimate admin sessions

Microsoft KQL Query (Defender/Sentinel)

CommonSecurityLog
| where TimeGenerated > ago(7d)
| where SourceIP in ("YOUR_BIGIP_MGMT_IP1", "YOUR_BIGIP_MGMT_IP2")
| where DestinationPort == 443
| where DeviceAction == "allow"
| extend ConnectionDurationMin = toint(FlexNumber1) / 60
| where ConnectionDurationMin > 30
| where not(ipv4_is_private(DestinationIP))
| summarize
    SessionCount = count(),
    AvgDuration = avg(ConnectionDurationMin),
    MaxDuration = max(ConnectionDurationMin),
    DestIPs = make_set(DestinationIP),
    TotalSentBytes = sum(SentBytes)
    by SourceIP
| where SessionCount > 3
| project SourceIP, DestIPs, SessionCount, AvgDuration, MaxDuration, TotalSentBytes
| order by MaxDuration desc

// TUNING: Replace YOUR_BIGIP_MGMT_IP values with actual management interface IPs
// TUNING: Adjust ConnectionDurationMin threshold (currently >30) based on normal patterns
// TUNING: FlexNumber1 field varies by firewall vendor; check your CIM mapping for duration
// FALSE POSITIVES: Long-running admin sessions, backup jobs, monitoring tools

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Back to Hunting off the Red