Full Report
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems. The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo, which it said overlaps with hacking groups known as Clay Typhoon (Microsoft),
Analysis Summary
# Threat Actor: VerdantBamboo
## Attribution & Identity
* **Identification:** VerdantBamboo is a China-nexus cyber espionage threat actor.
* **Aliases:**
* **Clay Typhoon** (Microsoft)
* **UNC5221** (Google/Mandiant)
* **Warp Panda** (CrowdStrike)
* **UNC6201** (Suspected overlap/alias mentioned in context of PLENET malware)
* **Known Associations:** Linked to Chinese state-sponsored operations specializing in the exploitation of edge appliances and Linux-based systems.
## Activity Summary
The actor was observed in a multi-stage campaign discovered in September 2025. They initially compromised an organization’s **Egnyte Storage Sync** system, maintaining access for at least 18 months. After initial remediation, the actor returned by leveraging stolen administrative credentials and compromising the victim's **Managed Services Provider (MSP)**. By infecting the MSP’s pfSense firewall, they were able to pivot back into the target's environment to deploy persistent implants.
## Tactics, Techniques & Procedures
* **Exploitation of Edge Appliances:** Specifically targeting Linux/BSD-based appliances where EDR software is typically absent.
* **Living-off-the-Land (LotL):** Using built-in tools and legitimate network services to maintain presence.
* **Vulnerability Exploitation:**
* Exploitation of local privilege escalation in Egnyte Storage Sync.
* Exploitation of CVE-2026-22769 (Dell RecoverPoint zero-day) associated with related clusters.
* **Persistence & Evasion:**
* Deploying malware with customized naming and persistence mechanisms on a per-device basis.
* Using compromised SSL VPN access and proxying through infected appliances to blend with legitimate traffic.
* Evading Conditional Access policies in M365 environments by using internal victim IPs.
* **Supply Chain / MSP Pivot:** Targeting Managed Service Providers to gain downstream access to primary targets.
## Targeting
* **Sectors:** Managed Service Providers (MSPs), Government, and Enterprise sectors (implied by M365 and storage sync targeting).
* **Geography:** Global (China-nexus interest).
* **Victims:** Unnamed organization using Egnyte Storage Sync and their associated MSP; users of Dell RecoverPoint for VMs.
## Tools & Infrastructure
* **Malware Families:**
* **BRICKSTORM:** A backdoor used to proxy traffic; includes a BSD variant and a native AOT-compiled version.
* **PLENET (aka GRIMBOLT):** A cross-platform backdoor (.NET Core) supporting remote command execution and C2 switching.
* **AGENTPSD:** A Python-based reverse shell used as a fallback entry point.
* **Infrastructure:**
* Compromised SSL VPNs.
* Use of specific, limited IP sets per victim to minimize detection.
* SSH for lateral movement and malware deployment.
## Implications
VerdantBamboo represents a high-tier threat characterized by extreme patience (18-month dwell times) and operational security discipline. By targeting "blind spot" devices (firewalls, storage appliances, and NAS) that do not support traditional security agents, they successfully bypass modern EDR-centric defenses. Their ability to pivot from an MSP to a target demonstrates a sophisticated understanding of trust relationships in corporate networks.
## Mitigations
* **Appliance Patching:** Immediately update Egnyte Storage Sync to version 13.13 or higher.
* **Edge Auditing:** Regularly audit pfSense firewalls, NAS devices, and other Linux-based appliances for unauthorized SSH keys or unusual cron jobs.
* **VPN Hardening:** Enforce strict Multi-Factor Authentication (MFA) and review SSL VPN logs for logins from atypical internal or MSP-linked IP addresses.
* **Zero Trust:** Implement granular Conditional Access policies that do not rely solely on "trusted" internal IP ranges, as these can be proxied by attackers on-site.
* **MSP Security:** Coordinate with service providers to ensure their administrative infrastructure (like firewalls) is monitored and secured.