A China-linked espionage group has been caught deploying a BSD-compiled version of the BRICKSTORM backdoor — along with two other malware families — against Linux systems in a campaign that lasted at least 18 months before anyone noticed.
Volexity, which published a detailed technical breakdown, tracks the threat actor as VerdantBamboo. The group overlaps with what Microsoft calls Clay Typhoon, Google calls UNC5221, and CrowdStrike calls Warp Panda. Whatever name you use, the group is sophisticated, patient, and targeting systems that most security tools can’t monitor: network appliances and storage devices.
The Initial Compromise
Volexity discovered the intrusion during an incident response engagement in September 2025. The attackers had compromised a victim’s Egnyte Storage Sync appliance by exploiting a local privilege escalation vulnerability. They used that access to deploy BRICKSTORM, a known backdoor designed to run on network appliances.
The vulnerability was patched in Egnyte Storage Sync version 13.13, released in March 2026. But the attackers had been in the network for at least 18 months before that. Once established, they used BRICKSTORM’s proxying capabilities — running on the Storage Sync system — combined with stolen credentials to pivot into the victim’s Microsoft 365 environment. They blended in with legitimate VPN traffic and bypassed Conditional Access policies.
After Volexium performed initial remediation, VerdantBamboo came right back. They used stolen admin credentials to connect to the firewall, reconfigured SSL VPN access, connected to other systems, and deployed additional malware to a Synology NAS appliance.
Three Malware Families, One Campaign
The investigation revealed the group also breached the victim’s Managed Service Provider, infecting its pfSense firewall with a BSD variant of BRICKSTORM around the same time the Storage Sync system was compromised. The victim appears to have entered the crosshairs through the compromised MSP — a classic supply chain pivot.
Two additional malware families were deployed to the Synology NAS over SSH:
PLENET (aka GRIMBOLT) — A cross-platform backdoor built in .NET Core, also found as a native ahead-of-time (AOT) compiled variant of BRICKSTORM. It supports interactive shell access, remote command execution, file manipulation, and the ability to switch between C2 servers. Google previously spotted PLENET in February 2026 being used by a group it calls UNC6201 to exploit a zero-day in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS 10.0) as far back as mid-2024.
AGENTPSD — A Python-based reverse shell that appears to function as a backup if the primary implant gets detected and removed.
Why Appliances Are the New Battleground
Volexity’s key takeaway is uncomfortable: VerdantBamboo deliberately targets systems that can’t run endpoint detection and response software. Firewalls, storage sync appliances, VPN concentrators, NAS devices — these are the blind spots in most security architectures.
“This threat actor appears to have good knowledge of proprietary appliances, allowing them to deploy malware with customized persistence mechanisms,” Volexity said. They also demonstrate strong operational security, returning after remediation by re-establishing access through alternate channels.
This is a pattern that’s increasingly common among sophisticated APT groups. When every Windows endpoint has an agent and every server is monitored, attackers go sideways — literally targeting the infrastructure that connects and supports those systems.
What Defenders Should Watch
Organizations running Egnyte Storage Sync, pfSense firewalls, or Synology NAS devices should verify they’re on the latest firmware and check for unauthorized configurations, particularly around VPN access and SSH. MSP-facing connections deserve extra scrutiny — if your managed service provider gets compromised, you likely will too.
Network traffic from appliances to unexpected external IPs is another red flag. BRICKSTORM’s proxying capability means a compromised storage device could be tunneling attacker traffic directly into your M365 environment using legitimate outbound connections. Look for appliances making unusual volumes of traffic or connecting to IPs outside normal patterns.
