A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems.
The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo, which it said overlaps with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
The cybersecurity company said it discovered the intrusion during an incident response engagement in September 2025, when it emerged that the adversary had compromised an unnamed victim’s Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM. The issue was addressed in Storage Sync version 13.13, released in March 2026.
“The appliance had periodically been accessed by VerdantBamboo via IP addresses assigned through the victim organization’s web SSL VPN,” researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster said in a technical report published last week.
“The threat actor used the malware’s proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim’s Microsoft 365 (M365) environment.”
It’s assessed that these steps were undertaken to blend in with legitimate network traffic and evade Conditional Access policies, with the initial compromise occurring at least 18 months before.
Following the initial remediation, VerdantBamboo is said to have staged a return, breaching the same organization by using stolen administrative credentials to connect to the firewall, and then abusing that access to configure web SSL VPN access to the device, connect to other systems, and deploy additional malware to a Synology Network Attached Storage (NAS) appliance.
Further investigation has since uncovered that the threat actor had in fact compromised the victim organization’s Managed Services Provider (MSP), specifically infecting its MSP’s pfSense firewall with a BSD variant of BRICKSTORM around the same time the victim’s Storage Sync system was also breached.
It’s believed that the victim was compromised through the threat actor’s breach of the MSP. The two malware families deployed to the NAS appliance over SSH are as follows –
- PLENET (aka GRIMBOLT), a cross-platform backdoor developed in .NET Core and a new version of BRICKSTORM compiled using native ahead-of-time (AOT) compilation. It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
- AGENTPSD, a Python-based reverse shell that likely functions as a fallback in case the primary implant ceases to function
It’s worth noting that the use of PLENET in the wild was reported by Google earlier this February in connection with attacks mounted by a suspected China-nexus threat cluster dubbed UNC6201 that exploited a…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
