VerdantBamboo Used BRICKSTORM and PLENET to Persist via Edge Appliances
Volexity reported that the China-linked threat actor VerdantBamboo—also tracked as WARP PANDA and UNC5221—compromised an organization through its managed services provider and maintained access for at least 18 months by abusing edge infrastructure and proprietary appliances. Investigators found the actor on an Egnyte Storage Sync appliance, where it deployed BRICKSTORM as its primary implant and used AGENTPSD as a fallback reverse shell, then pivoted with stolen credentials and SSL VPN access to reach internal systems and Microsoft 365 while bypassing Conditional Access protections.
The intrusion also affected the victim’s MSP, where Volexity found a pfSense firewall running a FreeBSD variant of BRICKSTORM and assessed with medium confidence that the MSP breach was the likely initial access path. During the investigation, Volexity identified a local privilege escalation issue tied to sudo permissions for Egnyte’s default egnyteservice account, later fixed in Storage Sync v13.13, and documented a new .NET Native AOT backdoor named PLENET on a Synology NAS. The findings indicate VerdantBamboo deliberately targets appliances and firewall-adjacent systems that often lack EDR coverage, using them as covert proxies and long-term persistence points.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Egnyte releases Storage Sync v13.13 with privilege escalation fix
Egnyte released Storage Sync version 13.13 in March 2026, fixing the local privilege escalation flaw affecting the default egnyteservice account on compromised appliances. The vulnerability had been abused in the intrusion investigated by Volexity.
Gurucul reports UNC5221 campaign targeting U.S. law firms
On June 8, 2026, Gurucul published research on an ongoing China-linked espionage campaign attributed to UNC5221 targeting U.S. law firms and technology organizations. The report said the attackers exploited zero-days, deployed BRICKSTORM, maintained access for more than a year, and stole sensitive legal, trade, and national security information.
Volexity publishes VerdantBamboo intrusion findings
On June 4, 2026, Volexity published its investigation linking the intrusion to VerdantBamboo, also tracked as WARP PANDA and UNC5221. The report documented the actor's focus on proprietary appliances and edge devices, including a pfSense firewall at the compromised MSP running a FreeBSD variant of BRICKSTORM.
Egnyte fixes local privilege escalation in Storage Sync v13.13
Volexity identified a local privilege escalation condition in Egnyte Storage Sync involving sudo permissions for the default egnyteservice account. Egnyte later fixed the issue in Storage Sync version 13.13.
Attackers maintain long-term access using BRICKSTORM and other implants
Following the intrusion, VerdantBamboo maintained access for at least 18 months by deploying BRICKSTORM on edge and appliance systems, AGENTPSD as a fallback reverse shell, and the PLENET backdoor on a Synology NAS. The actor also used compromised credentials and SSL VPN access to pivot internally and access Microsoft 365 while evading Conditional Access controls.
VerdantBamboo compromises victim environment via likely MSP access
In September 2025, Volexity investigated an intrusion involving an Egnyte Storage Sync appliance and determined that VerdantBamboo had compromised the victim environment. Volexity assessed with medium confidence that a compromise of the victim's managed services provider was the likely initial access path.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
thehackernews.com
Open sourceSeeking Counsel: Ongoing Targeted Campaign Against US Law Firms | Community Portal | Gurucul
community.gurucul.com
Open sourceChinese APT VerdantBamboo Evades M365 Security for 18 Months | The CyberSec Guru
thecybersecguru.com
Open sourceChinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances
cybersecuritynews.com
Open sourceChinese APT deploys new malware to keep access to hacked networks
bleepingcomputer.com
Open sourceVerdantBamboo: Just Another BRICKSTORM in the Firewall | Volexity
volexity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PRC State-Sponsored Use of BRICKSTORM Malware for Persistent Access
People’s Republic of China (PRC) state-sponsored cyber actors have been observed deploying the sophisticated BRICKSTORM backdoor malware to maintain long-term, stealthy access within government and information technology sector networks. BRICKSTORM targets both VMware vSphere and Windows environments, employing advanced evasion techniques such as multiple layers of encryption, DNS-over-HTTPS, and a SOCKS proxy for lateral movement. The malware is designed for persistence, with self-monitoring features that allow it to automatically reinstall or restart if disrupted, and has been linked to intrusions where attackers leveraged legitimate credentials and exfiltrated sensitive data from compromised systems. CISA, NSA, and the Canadian Centre for Cyber Security have jointly released detailed analysis and detection guidance for BRICKSTORM, including indicators of compromise (IOCs), YARA and Sigma rules, and technical breakdowns of eight malware samples. Organizations in government and critical infrastructure sectors are urged to use these resources to detect and respond to BRICKSTORM infections, and to report any related activity to authorities. The campaign highlights the evolving capabilities of PRC state-sponsored actors and the need for robust monitoring and incident response in targeted sectors.
Mar 21, 2026
Coordinated Reconnaissance and Exploitation Activity Targeting Edge VPN Appliances
CISA issued updated technical details on **RESURGE**, a stealthy implant used in zero-day intrusions of **Ivanti Connect Secure** appliances via **CVE-2025-0282**. The malware (a 32-bit Linux shared object, `libdsupgrade.so`) is designed for long-term persistence and covert access, with capabilities described as including rootkit/bootkit-style functionality, credential theft via webshells, account manipulation, privilege escalation, and tunneling/proxying. CISA highlighted that RESURGE can remain **dormant** and evade detection by acting as a *passive* C2: rather than beaconing out, it waits for specific inbound TLS connections and, when loaded under the `web` process, hooks `accept()` to inspect TLS packets and only activate on attacker-identified traffic (using a CRC32-based TLS fingerprinting approach); non-matching traffic is passed through to the legitimate service. Reporting cited Mandiant’s attribution of the early exploitation activity to a China-linked actor tracked as **UNC5221**, with zero-day exploitation reported since mid-December 2024. Separately, GreyNoise reported a large-scale **reconnaissance campaign** against **SonicWall SonicOS/SSL VPN** infrastructure (84,142 scanning sessions over several days) focused primarily on enumerating whether SSL VPN is enabled by probing a single API endpoint—behavior consistent with pre-attack target mapping rather than immediate CVE exploitation. The activity came from thousands of IPs across multiple ASNs and included heavy use of **commercial proxy** infrastructure (rotating exits) in short, concentrated bursts, a pattern GreyNoise assessed as coordinated and operationally segmented. GreyNoise assessed this recon as a precursor to credential-based intrusion and ransomware operations frequently associated with edge VPN access (citing **Akira** and **Fog** as examples), and noted broad internet exposure and a meaningful population of devices running vulnerable or unsupported firmware—conditions that increase the likelihood that reconnaissance will translate into follow-on compromise attempts.
Mar 21, 2026
UNC6201 Zero-Day Exploitation of Dell RecoverPoint for Virtual Machines (CVE-2026-22769)
Mandiant and Google Threat Intelligence Group reported **active zero-day exploitation** of a maximum-severity Dell RecoverPoint for Virtual Machines vulnerability, **CVE-2026-22769** (CVSS 10.0), attributed to **UNC6201**, a suspected PRC-nexus threat cluster. The flaw is described as a **hardcoded-credential issue** affecting versions prior to `6.0.3.1 HF1`, enabling unauthenticated attackers with knowledge of the credential to gain unauthorized access to the underlying OS and establish **root-level persistence**; exploitation has been observed since at least mid-2024. Dell has released remediations and urged customers to upgrade/apply fixes per its security advisory. Post-compromise activity observed in incident response engagements included lateral movement, persistence, and malware deployment, including **SLAYSTYLE**, **BRICKSTORM**, and a newly identified backdoor, **GRIMBOLT**. GRIMBOLT (C# with native ahead-of-time compilation) was observed replacing older BRICKSTORM binaries around September 2025 and is intended to complicate static analysis and improve performance on constrained appliances. The actor also demonstrated techniques to pivot into VMware environments, including creating **“Ghost NICs”** on VMware ESXi for stealthy network movement and using `iptables` for **Single Packet Authorization (SPA)**; initial access was not definitively confirmed, though the actor is known to target edge appliances (e.g., VPN concentrators) for entry.
Mar 20, 2026