Ethical Hacking News
A sophisticated China-nexus cyber espionage group known as VerdantBamboo has been observed deploying a BSD variant of the known backdoor BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD, to target Linux systems. The threat actor, which overlaps with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike), has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo. This article delves into the sophisticated tactics and techniques employed by this threat actor, including its use of living-off-the-land techniques and malware deployment on systems that traditionally do not or cannot run EDR software.
VerdantBamboo, a China-nexus cyber espionage group, has been observed deploying backdoor malware BRICKSTORM and two other families, PLENET (GRIMBOLT) and AGENTPSD, to target Linux systems. The group overlaps with known hacking groups Clay Typhoon, UNC5221, and Warp Panda, according to Volexity. VerdantBamboo compromised an Egnyte Storage Sync system by exploiting a local privilege escalation flaw, deploying BRICKSTORM, and later breached the organization's Microsoft 365 environment. The group staged multiple breaches, using stolen admin credentials to access systems, configure VPNs, and deploy additional malware to a Synology NAS appliance. VerdantBamboo likely compromised an MSP by infecting its pfSense firewall with BRICKSTORM, allowing them to breach the victim organization's systems. The group deployed two new malware families: PLENET (GRIMBOLT) and AGENTPSD, which support interactive shell, remote command execution, file manipulation, and C2 server switching.
VerdantBamboo, a sophisticated China-nexus cyber espionage group, has been observed deploying a BSD variant of the known backdoor BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD, to target Linux systems. According to Volexity, a cybersecurity company that tracks this threat cluster, VerdantBamboo overlaps with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo, which it said overlaps with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike). The cybersecurity company discovered the intrusion during an incident response engagement in September 2025, when it emerged that the adversary had compromised an unnamed victim's Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM. The issue was addressed in Storage Sync version 13.13, released in March 2026.
"The appliance had periodically been accessed by VerdantBamboo via IP addresses assigned through the victim organization's web SSL VPN," researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster said in a technical report published last week. "The threat actor used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment."
It is assessed that these steps were undertaken to blend in with legitimate network traffic and evade Conditional Access policies, with the initial compromise occurring at least 18 months before. Following the initial remediation, VerdantBamboo is said to have staged a return, breaching the same organization by using stolen administrative credentials to connect to the firewall, and then abusing that access to configure web SSL VPN access to the device, connect to other systems, and deploy additional malware to a Synology Network Attached Storage (NAS) appliance.
Further investigation has since uncovered that the threat actor had in fact compromised the victim organization's Managed Services Provider (MSP), specifically infecting its MSP's pfSense firewall with a BSD variant of BRICKSTORM around the same time the victim's Storage Sync system was also breached. It is believed that the victim was compromised through the threat actor's breach of the MSP.
The two malware families deployed to the NAS appliance over SSH are as follows - PLENET (aka GRIMBOLT), a cross-platform backdoor developed in .NET Core and a new version of BRICKSTORM compiled using native ahead-of-time (AOT) compilation. It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
AGENTPSD, a Python-based reverse shell that likely functions as a fallback in case the primary implant ceases to function. It's worth noting that the use of PLENET in the wild was reported by Google earlier this February in connection with attacks mounted by a suspected China-nexus threat cluster dubbed UNC6201 that exploited a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024.
"VerdantBamboo is a highly sophisticated threat actor that seeks to leverage a combination of living-off-the-land techniques and malware deployment on systems that traditionally do not or cannot run EDR software," Volexity said. "This threat actor appears to have good knowledge of proprietary appliances, allowing them to deploy malware with customized persistence mechanisms. They also appear to have operational security discipline aimed at leveraging a limited number of domains and IP addresses per victim and setting up customized implant naming and persistence on a per-device basis."
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Cyber-Espionage-Operation-The-VerdantBamboo-Threat-Actor-ehn.shtml
https://thehackernews.com/2026/06/verdantbamboo-deploys-bsd-variant-of.html
Published: Wed Jun 10 16:23:36 2026 by llama3.2 3B Q4_K_M
