VerdantBamboo’s Advanced Cyber Espionage Tactics: Unveiling the BSD Variant of BRICKSTORM
In a recent cybersecurity revelation, the China-linked cyber espionage group known as VerdantBamboo has been identified deploying a BSD variant of the BRICKSTORM backdoor, alongside two other malware families, PLENET (also known as GRIMBOLT) and AGENTPSD, targeting Linux systems. This activity has been meticulously analyzed and attributed to VerdantBamboo by cybersecurity firm Volexity, which notes significant overlaps with other known hacking groups such as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
The intrusion came to light during an incident response engagement in September 2025, when Volexity discovered that VerdantBamboo had compromised an unnamed organization’s Egnyte Storage Sync system. The attackers exploited a local privilege escalation vulnerability to deploy the BRICKSTORM backdoor. This particular vulnerability was addressed in Storage Sync version 13.13, released in March 2026.
Researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster detailed in their technical report that the compromised appliance was periodically accessed by VerdantBamboo through IP addresses assigned via the victim organization’s web SSL VPN. The threat actors utilized the malware’s proxying capabilities on the Storage Sync system, combined with compromised credentials, to infiltrate the victim’s Microsoft 365 (M365) environment. This method allowed them to blend seamlessly with legitimate network traffic, effectively evading Conditional Access policies. Notably, the initial compromise is believed to have occurred at least 18 months prior to its detection.
After initial remediation efforts, VerdantBamboo demonstrated resilience by re-compromising the same organization. They employed stolen administrative credentials to access the firewall, subsequently configuring web SSL VPN access to the device. This access facilitated connections to other systems and the deployment of additional malware onto a Synology Network Attached Storage (NAS) appliance.
Further investigations revealed that VerdantBamboo had also compromised the victim organization’s Managed Services Provider (MSP). Specifically, they infected the MSP’s pfSense firewall with a BSD variant of BRICKSTORM around the same period the victim’s Storage Sync system was breached. This suggests that the initial compromise of the victim organization was a direct consequence of the MSP’s breach.
The two malware families deployed to the NAS appliance over SSH include:
– PLENET (aka GRIMBOLT): A cross-platform backdoor developed in .NET Core, featuring a new version of BRICKSTORM compiled using native ahead-of-time (AOT) compilation. It offers functionalities such as interactive shell access, remote command execution, file manipulation, and the ability to switch command-and-control (C2) servers.
– AGENTPSD: A Python-based reverse shell likely designed as a fallback mechanism should the primary implant fail.
It’s noteworthy that the deployment of PLENET in the wild was previously reported by Google in February 2026. The attacks were linked to a suspected China-nexus threat cluster dubbed UNC6201, which exploited a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024.
Volexity’s analysis underscores VerdantBamboo’s sophistication as a threat actor. They adeptly combine living-off-the-land techniques with malware deployment on systems that typically lack Endpoint Detection and Response (EDR) software. Their deep understanding of proprietary appliances enables them to implement customized persistence mechanisms. Additionally, their operational security measures include using a limited number of domains and IP addresses per victim and establishing tailored implant naming and persistence strategies for each device.
