A cyber espionage group with links to China, known as VerdantBamboo, has been identified deploying a BSD variant of the BRICKSTORM backdoor, along with two other malware families, PLENET and AGENTPSD, targeting Linux environments. This activity, tracked by cybersecurity firm Volexity, aligns with known operations of groups like Clay Typhoon, UNC5221, and Warp Panda.
Discovery and Initial Intrusion
The activities of VerdantBamboo came to light during an incident response by Volexity in September 2025. It was revealed that the group had infiltrated an unnamed company’s Egnyte Storage Sync system by exploiting a local privilege escalation vulnerability. This breach enabled the deployment of BRICKSTORM, which was later addressed in the March 2026 update of Storage Sync, version 13.13.
Detailed analysis by the researchers highlighted that VerdantBamboo accessed the system through IP addresses assigned via the victim’s web SSL VPN. The cyber attackers used the malware’s proxy features alongside compromised credentials to penetrate the victim’s Microsoft 365 environment, effectively blending their activities with legitimate network traffic to avoid detection.
Subsequent Breaches and Techniques
After initial remediation efforts, VerdantBamboo managed a resurgence, exploiting stolen administrative credentials to access and configure the organization’s firewall. This allowed them to establish web SSL VPN connections, infiltrate other systems, and place additional malware onto a Synology NAS appliance.
Further investigation disclosed that VerdantBamboo had also compromised the victim organization’s Managed Services Provider (MSP). Specifically, the group infected the MSP’s pfSense firewall with a BSD variant of BRICKSTORM, paralleling the timeline of the initial Storage Sync breach.
Deployment of Additional Malware
VerdantBamboo’s operation extended to deploying two malware families to the NAS device via SSH. The first, PLENET, also known as GRIMBOLT, is a cross-platform backdoor developed in .NET Core, providing an interactive shell, remote command execution, and file manipulation capabilities. The second, AGENTPSD, is a Python-based reverse shell designed as a fallback if the primary implant fails.
Google had previously reported PLENET’s use in February, linking it to attacks by a suspected China-linked group, UNC6201. This group had exploited a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024.
Implications and Conclusion
Volexity emphasizes that VerdantBamboo is a sophisticated threat actor utilizing both living-off-the-land techniques and malware tailored for systems without EDR software. Their knowledge of proprietary systems enables them to deploy malware with customized persistence mechanisms, maintaining operational security by limiting the use of domains and IP addresses per target and crafting unique implant naming per device.
