- The China-nexus cyber espionage group VerdantBamboo deployed a BSD variant of the BRICKSTORM backdoor against Linux systems.
- The group compromised an Egnyte Storage Sync system in September 2025 by exploiting a local privilege escalation flaw, using it to access a victim’s Microsoft 365 environment.
- Following remediation, the actor returned using stolen credentials, deploying new malware families PLENET and AGENTPSD to a Synology NAS device.
- The attacks have been linked to hacking clusters known as Clay Typhoon, UNC5221, and Warp Panda.
- The PLENET malware was previously used in attacks exploiting a Dell RecoverPoint zero-day vulnerability (CVE-2026-22769).
In a sophisticated and persistent campaign, the Chinese cyber espionage group VerdantBamboo has been deploying multiple malware families, including a BSD variant of the BRICKSTORM backdoor, to compromise Linux systems. According to a technical report from Volexity, the activity overlaps with clusters tracked as Clay Typhoon and UNC5221.
Volexity discovered the intrusion during a September 2025 incident response, finding the group had breached an Egnyte Storage Sync appliance. The threat actor exploited a privilege escalation flaw, later patched in version 13.13, to deploy BRICKSTORM. Researchers stated, “The appliance had periodically been accessed by VerdantBamboo via IP addresses assigned through the victim organization’s web SSL VPN.”
Consequently, the malware’s proxying capabilities were used with stolen credentials to infiltrate the victim’s Microsoft 365 environment. This tactic aimed to blend with legitimate traffic and bypass security policies, with the initial compromise dating back at least 18 months. Following initial remediation, the actors staged a return using stolen admin credentials.
Meanwhile, the group breached the victim’s firewall to configure VPN access and deployed additional payloads to a Synology NAS. The newly deployed malware included PLENET, a cross-platform .NET Core backdoor, and AGENTPSD, a Python-based reverse shell. Further investigation revealed the group had also compromised the victim’s Managed Services Provider, infecting its pfSense firewall with the BSD BRICKSTORM variant.
Notably, PLENET was used in earlier attacks exploiting a critical Dell RecoverPoint vulnerability (CVE-2026-22769). Volexity assessed VerdantBamboo as highly sophisticated, leveraging living-off-the-land techniques on systems without EDR software. The group demonstrates strong operational security, using limited infrastructure per victim and customizing implants for each device.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
