A sophisticated China-linked cyber espionage group has been caught using multiple malware families to infiltrate Linux-based systems, highlighting an evolving threat landscape targeting enterprise infrastructure and network appliances.
Security researchers at Volexity have identified the threat actor, tracked as VerdantBamboo, deploying a BSD variant of the well-known BRICKSTORM backdoor alongside two additional malware strains named PLENET (GRIMBOLT) and AGENTPSD.
The threat group is believed to overlap with several well-known Chinese state-sponsored clusters, including Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
Initial Breach Through Egnyte Storage Sync
The activity came to light during an incident response investigation conducted by Volexity in September 2025. Researchers discovered that attackers had compromised an organization’s Egnyte Storage Sync appliance by exploiting a local privilege escalation vulnerability to deploy the BRICKSTORM backdoor.
The vulnerability was later fixed in Storage Sync version 13.13, released in March 2026.
According to Volexity, the attackers periodically accessed the compromised appliance using IP addresses routed through the victim organization’s SSL VPN infrastructure. This tactic allowed them to blend malicious traffic with legitimate network activity and avoid triggering security controls such as Conditional Access policies.
Investigators believe the initial compromise may have remained undetected for at least 18 months.
Microsoft 365 Environment Targeted
Once access was established, VerdantBamboo leveraged BRICKSTORM’s proxying capabilities and stolen credentials to move into the victim’s Microsoft 365 environment.
By routing activity through trusted infrastructure, the threat actor was able to maintain persistence while reducing the likelihood of detection.
Attackers Return After Remediation
Even after the organization conducted remediation efforts, the attackers successfully regained access.
Researchers found that VerdantBamboo used previously stolen administrative credentials to connect to the organization’s firewall. The group then configured web SSL VPN access, expanded lateral movement across systems, and deployed additional malware onto a Synology NAS device.
This persistence demonstrates the group’s ability to maintain long-term access and rapidly re-establish footholds after security teams remove their initial implants.
MSP Compromise Served as Entry Point
Further investigation revealed that the attackers had also compromised the victim organization’s Managed Services Provider (MSP).
The MSP’s pfSense firewall was infected with a BSD version of the BRICKSTORM malware around the same period that the victim’s Egnyte appliance was breached.
Researchers believe the compromise of the MSP likely served as the initial access vector, enabling attackers to gain entry into the downstream customer environment.
New Malware Families Identified
The campaign involved the deployment of two additional malware families on the Synology NAS appliance via SSH:
PLENET (GRIMBOLT)
PLENET is a cross-platform backdoor built using .NET Core and represents a newer evolution of BRICKSTORM compiled with native Ahead-of-Time (AOT) technology.
The malware provides attackers with several capabilities, including:
- Interactive shell access
- Remote command execution
- File management operations
- Command-and-control (C2) server switching
AGENTPSD
AGENTPSD is a Python-based reverse shell designed to function as a backup access mechanism.
Researchers believe the malware serves as a fallback implant, ensuring continued access if primary payloads are detected or removed.
Connection to Earlier China-Linked Campaigns
The discovery of PLENET is particularly noteworthy because Google previously reported the malware in February 2026 during investigations into attacks conducted by a suspected China-linked threat group known as UNC6201.
In those incidents, attackers exploited a critical vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS 10.0) as a zero-day vulnerability dating back to mid-2024.
The overlap in tooling suggests increasing malware reuse and operational coordination among Chinese cyber espionage groups.
Sophisticated Tradecraft Focused on Network Appliances
Volexity describes VerdantBamboo as a highly capable threat actor that specializes in targeting systems where traditional Endpoint Detection and Response (EDR) tools are often unavailable.
Instead of relying solely on conventional endpoints, the group focuses on proprietary appliances, firewalls, storage systems, and network infrastructure devices. This strategy allows attackers to maintain stealthy access while avoiding many security monitoring solutions.
Researchers also noted the group’s disciplined operational security practices, including:
- Extensive use of living-off-the-land techniques
- Customized persistence mechanisms for individual devices
- Limited use of domains and IP addresses per victim
- Tailored implant naming conventions to evade detection
Key Takeaways
The VerdantBamboo campaign highlights a growing trend among advanced threat actors: targeting overlooked infrastructure devices rather than traditional endpoints.
By compromising storage appliances, firewalls, NAS systems, and managed service providers, attackers can establish resilient footholds that are difficult to detect and remove.
Organizations should ensure network appliances are regularly patched, closely monitor administrative access, secure MSP relationships, and extend visibility beyond traditional endpoint security controls to defend against increasingly sophisticated espionage campaigns.
