Chinese APT group Unc5221, also known as VerdantBamboo, has been identified by researchers at Volexity for its sophisticated tactics and techniques used in a series of high-profile attacks against multiple targets worldwide. The group's latest campaign saw them deploy advanced malware to gain access to compromised networks.
Chinese APT group Unc5221, also known as VerdantBamboo, has been gaining attention for its sophisticated tactics and techniques used in a series of high-profile attacks against multiple targets worldwide. The group's latest campaign, which began around September 2024, saw them deploy advanced malware, including the previously undocumented Brickstorm backdoor and Plenet, to gain access to compromised networks.
According to researchers at Volexity, Unc5221's modus operandi involves utilizing living-off-the-land techniques, such as using built-in tools and systems, rather than relying solely on custom-made malware. This approach allows the group to blend in with legitimate network traffic and evade traditional security measures. In one notable instance, VerdantBamboo compromised an Egnyte Storage Sync system and accessed it periodically through the victim's web SSL VPN. From this foothold, they used Brickstorm proxying features and stolen credentials to access the organization's Microsoft 365 environment.
The attackers spent at least 18 months on the network before being detected, with subsequent breaches occurring after remediation efforts were completed. In the second intrusion, the attackers used stolen credentials to enable and configure SSL VPN access on the victim’s firewall, then connected to internal systems and deployed additional custom malware to a Synology NAS device.
Researchers from Volexity discovered that Plenet, a cross-platform .NET-based backdoor, was deployed to a Synology NAS appliance. This malware offers interactive shell access, remote command execution, file manipulation, and command-and-control (C2) server switching. The researchers note that Plenet is similar in design to Brickstorm, using the WebSocket protocol for C2 communications and a multiplexing library for simultaneous data streams to the server.
Another piece of malware used by Unc5221 was AgentPSD, a simple Python-based reverse shell utility. While Brickstorm was still running, AgentPSD was never used as it supported the assessment that this malware was a secondary access mechanism. During the investigation, Volexity tried to discover the infrastructure related to VerdantBamboo but were unable to reveal other systems due to the threat actor taking them offline.
The Volexity researchers compiled a list of indicators of compromise (IOCs) linked to the investigated Unc5221 campaign and published them online. The group also described Brickstorm as an "advanced malware implant." Initial variants were written in Golang, then new variants emerged, written in Rust. Researchers describe VerdantBamboo as "a highly sophisticated threat actor" that mixes living-off-the-land techniques and malware.
The attack against the victim organization was a result of the attackers taking advantage of their services being available on port 443. This became evident when all servers previously matching this pattern turned off their services on port 443 between September 18 and September 23.
Google also published a new report detailing Brickstorm's activity, suggesting that the attacker was aware of their operations being under investigation. CISA warned about Brickstorm being deployed by Chinese hackers against VMware vSphere servers, adding to the growing list of known targets for this particular malware.
In conclusion, Unc5221 has demonstrated its capabilities as a sophisticated threat actor using advanced malware tactics and techniques. Their approach highlights the importance of security teams logging 54% of successful attacks and alerting on just 14%, with the rest moving through the environment unseen. The incident serves as a reminder for organizations to ensure they are taking proactive measures to detect and respond to potential threats.
Related Information:
Published: Fri Jun 5 13:59:50 2026 by llama3.2 3B Q4_K_M