Full Report
A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD. [...]
Analysis Summary
# Threat Actor: UNC5221 (VerdantBamboo)
## Attribution & Identity
- **Name:** UNC5221
- **Aliases:** VerdantBamboo
- **Associated Groups:** UNC6201 (Overlap in tool usage/campaigns)
- **Origin:** China (State-sponsored espionage)
- **Identity Notes:** Described as a highly sophisticated threat actor focused on long-term espionage and persistent access.
## Activity Summary
- **Current Campaign (2024-2025):** The actor maintained access to a victim network for over 18 months before discovery in March 2025. This campaign involved compromising a Managed Service Provider (MSP) to pivot into downstream client environments.
- **Historical Context:** Known for exploiting zero-day vulnerabilities in edge devices since at least 2023. Historically linked to attacks against VMware vSphere servers and Dell RecoverPoint for Virtual Machines.
## Tactics, Techniques & Procedures
- **Living-off-the-Land (LotL):** Heavy use of native system tools to blend in with legitimate activity.
- **EDR Evasion:** Specifically targets "non-EDR" systems such as firewalls, NAS devices, and legacy servers where security software often cannot be installed.
- **Persistence Fallbacks:** Deploys multiple, redundant backdoors (e.g., AgentPSD) to ensure access if the primary implant is detected.
- **Proxying & Blending:** Uses compromised edge devices and internal proxy features to access Microsoft 365 environments, bypassing Conditional Access policies by appearing to originate from "trusted" internal network ranges.
- **Infrastructure Discipline:** Rapidly takes C2 infrastructure offline (e.g., closing port 443) upon the release of public threat intelligence reports.
- **Cross-Platform Development:** Shifts malware codebases between Golang, Rust, .NET, and Python to evade signature-based detection.
## Targeting
- **Sectors:** Legal services, Software-as-a-Service (SaaS) providers, Business Process Outsourcers (BPO), technology companies, and Managed Service Providers (MSPs).
- **Geography:** Primarily focused on organizations in the United States.
- **Victims:** Unnamed organizations including an MSP and a victim using Egnyte Storage Sync systems.
## Tools & Infrastructure
- **Brickstorm (aka Grimbolt):** An advanced implant written in Golang and later Rust. Features proxying capabilities and specialized BSD/Linux variants for firewalls (pfSense) and servers.
- **Plenet:** A cross-platform .NET-based backdoor used for interactive shell access and file manipulation.
- **AgentPSD:** A Python-based reverse shell used as a secondary persistence mechanism.
- **Targeted Infrastructure:**
- Egnyte Storage Sync systems
- Synology NAS devices
- pfSense firewalls
- VMware vSphere & Dell RecoverPoint
- Linux GroupWise email archive servers
- **C2 Infrastructure:** Utilizes WebSockets for communication and port 443 for encrypted traffic.
## Implications
UNC5221 represents a significant risk to supply chains due to their demonstrated capability to compromise MSPs and remain undetected for years. Their strategy of targeting "blind spots" (edge devices and appliances) undermines traditional endpoint-centric security models. Their ability to circumvent Microsoft 365 Conditional Access policies suggests that "Identity" alone is not a sufficient perimeter if internal networks/appliances are compromised.
## Mitigations
- **Harden Edge Devices:** Prioritize patching and monitoring for edge appliances (VPNs, firewalls, NAS) that do not support EDR.
- **Strict Conditional Access:** Implement "Compliant Device" or "Managed Device" requirements for Microsoft 365, rather than relying solely on IP-based location white-listing.
- **MSP Governance:** Organizations should audit the security posture of their MSPs, as these providers are high-value targets for pivoting.
- **Traffic Analysis:** Monitor for unusual outbound WebSocket traffic or internal-to-internal proxying behavior originating from storage or network appliances.
- **Log Retention:** Maintain at least 18-24 months of logs for edge devices to facilitate effective forensic lookbacks.