By Dec 31, 2025, will UNC5221 be publicly linked to exploiting at least one new zero-day?
Question: By Dec 31, 2025, will UNC5221 be publicly linked to exploiting at least one new zero-day in a non-Ivanti edge platform (e.g., VMware vCenter/ESXi, Citrix NetScaler, F5, Palo Alto, Fortinet)?
Early Look: AlphaHunt Forecasting
We’re giving our subscribers a look at something new: AlphaHunt’s early-stage, next-generation forecasting technology.
Most intel tools tell you what already happened. Forecasting asks a harder, more valuable question: what’s likely to happen next, and how should we prepare? We’re experimenting with structured probability models that connect threat intelligence to incident response. Think of it as a way to quantify uncertainty before the attacker makes their next move.
Why it matters for security teams
-
Move left of boom – Instead of reacting to the breach or extortion email, teams get an evidence-based probability of escalation. That helps decide whether to harden defenses now or stage response playbooks in advance.
-
Translate noise into action – Forecasts take vague “chatter” or scattered reporting and turn it into calibrated odds with defined resolution criteria. That means you can brief leadership with confidence, not hand-waving.
-
Stress test readiness – Pairing forecast scenarios with your incident response plan highlights blind spots. If one scenario says “55% odds on a new non-Ivanti edge 0-day by Dec 31...” the next question is: are we ready for that exact play?
This is early stage work.
You’ll see a forecast card in this issue that show how I'm approaching the problem: clear questions, base rates, scenarios, and signals to watch.
I'm asking you for feedback. Is this useful in your daily workflow? What kinds of forecasts would help you brief your SOC, IR team, or leadership? Should we track adversary infrastructure launches, vulnerability weaponization, law-enforcement takedowns?
AlphaHunt’s mission is to make threat intelligence more actionable, measurable, and forward-looking. Forecasting is one piece of that puzzle. If it resonates, expect to see it become a regular feature in our platform.
Let me know what you think— I'm listening.
Executive Overview
Edge boxes don’t run EDR. UNC5221 loves that. Our forecast puts 55% odds on a new non-Ivanti edge 0-day by Dec 31—because BRICKSTORM has been living ~393 days on Linux/BSD appliances and pivoting to vCenter while most orgs stare at endpoints. Are you actually hunting your “appliances,” or just hoping KEV updates will save you in time?
Forecast Card
Question: By Dec 31, 2025, will UNC5221 be publicly linked to exploiting at least one new zero-day in a non-Ivanti edge platform (e.g., VMware vCenter/ESXi, Citrix NetScaler, F5, Palo Alto, Fortinet)?
Resolution Criteria: Yes if (a) Mandiant/GTI, CISA, or the affected vendor publishes a report/advisory explicitly attributing UNC5221 to exploitation of a previously unknown vulnerability in a non-Ivanti edge device in 2025-Q4 OR (b) at least two independent Tier-1 vendors reach analytic consensus with corroborated forensic artifacts. Otherwise No.
- Horizon: 2025-12-31 (America/New_York)
- Probability (Now): 55% | Log-odds: 0.20
- Confidence in Inputs: Medium
- Base Rate: 31% from UNC5221’s ~1.5 zero-days/year pace (≈0.375/quarter → P(≥1) ≈ 31%)
Top Drivers
- Demonstrated zero-day capability and patch-diff exploitation of edge devices.
- Campaigns targeting tech/SaaS/legal sectors aiding exploit discovery.
- BRICKSTORM persistence on VMware/appliances lacking EDR.
- GTI/Mandiant expectation of continued edge zero-daying.
- Short horizon and vendor scrutiny damping odds.
Scenarios (mutually exclusive, sum=100%)
- Yes (55%): New non-Ivanti edge zero-day by UNC5221 is reported.
- No-A (35%): No zero-day; activity limited to n-day exploitation/BRICKSTORM expansion.
- No-B (10%): Supply-chain or Windows BRICKSTORM observed, but no new non-Ivanti zero-day.
Signals (▲ up / ▼ down)
▲ GTI/Mandiant hints of exploit dev on VMware/F5/Fortinet/Palo Alto.
▲ CISA KEV adds ambiguous edge zero-day with China nexus before vendor patch.
▲ New BRICKSTORM/BRICKSTEAL variants tied to non-Ivanti appliances.
▼ Vendor emergency hardening (vSphere lockdown, EDR-equivalents).
▼ Law enforcement disruption of router obfuscation networks.
▼ Absence of initial-access artifacts in IR despite hunts.
Appendix
References
- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability
- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
- https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
- https://cyberscoop.com/china-espionage-group-ivanti-vulnerability-exploits/
- https://therecord.media/china-linked-hackers-brickstorm-backdoor-ip
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
(c) 2025 CSIRT Gadgets, LLC
