A China nexus cyber espionage group has been observed deploying a BSD variant of the known backdoor BRICKSTORM along with additional malware families targeting Linux based systems and enterprise appliances. According to research published by Volexity, the activity is attributed to a threat cluster tracked as VerdantBamboo, which overlaps with other known groups identified as Clay Typhoon by Microsoft, UNC5221 by Google, and Warp Panda by CrowdStrike. The campaign was discovered during an incident response investigation conducted in September 2025, where attackers were found to have compromised an organization’s Egnyte Storage Sync system by exploiting a local privilege escalation vulnerability to deploy malware. The issue was later addressed in Storage Sync version 13.13 released in March 2026, but the intrusion had already enabled persistent access inside the environment.
Researchers noted that the attackers were able to maintain access through multiple infrastructure paths, including IP addresses associated with the victim organization’s web SSL VPN services. This allowed VerdantBamboo to operate within legitimate network traffic patterns while avoiding detection mechanisms such as Conditional Access policies. The attackers used proxy capabilities embedded within BRICKSTORM deployed on Storage Sync systems, combined with stolen credentials, to reach the victim’s Microsoft 365 environment. Security analysts assess that this approach allowed long term stealth access, with indications that the initial compromise may have occurred at least 18 months prior to discovery. Even after remediation efforts were carried out, the threat actor reportedly re entered the environment using stolen administrative credentials to access firewall systems and reconfigure SSL VPN access, expanding their control across connected infrastructure including Synology Network Attached Storage devices.
Further investigation revealed that VerdantBamboo’s operations extended beyond the victim organization and into its Managed Services Provider environment. The MSP was found to have been compromised through its pfSense firewall, which was infected with a BSD variant of BRICKSTORM around the same timeframe as the initial breach. Security researchers believe this upstream compromise played a critical role in enabling access to the downstream victim network. Once inside, the attackers deployed additional malware families over SSH connections, including PLENET also known as GRIMBOLT and AGENTPSD. PLENET is described as a cross platform backdoor developed in .NET Core and compiled using native ahead of time compilation, allowing capabilities such as interactive shell access, remote command execution, file manipulation, and switching of command and control infrastructure. AGENTPSD, on the other hand, is a Python based reverse shell that appears to function as a backup implant if the primary malware becomes unavailable or disrupted.
The use of PLENET in real world attacks had previously been reported by Google earlier in February in connection with activity attributed to another China nexus cluster tracked as UNC6201. That group was observed exploiting a critical vulnerability in Dell RecoverPoint for Virtual Machines identified as CVE 2026 22769 with a CVSS score of 10.0, using it as a zero day since mid 2024. Volexity researchers stated that VerdantBamboo demonstrates a high level of operational sophistication, combining living off the land techniques with custom malware deployments specifically designed for systems that typically do not support endpoint detection and response solutions. The group also shows strong familiarity with proprietary and appliance based environments, enabling them to implement persistence mechanisms tailored to each device while limiting detection opportunities.
Analysts further observed that VerdantBamboo maintains disciplined operational security practices, including the use of limited domains and IP addresses per victim and customizing implant naming conventions for each compromised system. This targeted approach suggests an intent to maintain long term access while reducing exposure across multiple environments. The overall campaign highlights increasing complexity in cyber espionage operations targeting Linux based infrastructure and enterprise appliances, where traditional security tools may not always provide full visibility into malicious activity.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
