A China-nexus cyber espionage group has been observed using a BSD variant of a backdoor known as BRICKSTORM, along with two other malware families called PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems.
The activity was exposed by Voexity in the following threat cluster VerdantBamboowhich has overlapped with hacker groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
The cybersecurity firm said it discovered the intrusion while responding to an incident in September 2025, when it was discovered that an adversary had compromised the Egnyte Storage Sync system of an unnamed victim by exploiting improper property rights to execute BRICKSTORM. The issue was addressed in Store Sync version 13.13, released in March 2026.
“The machine was being accessed by VerdantBamboo through IP addresses provided through the victim organization’s SSL VPN,” researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster said in a technical report published last week.
“A threat actor used the capabilities of a malware proxy installed in the Storage Sync program, as well as compromised credentials, to access the victim’s Microsoft 365 (M365) environment.”
It is considered that these steps are taken to aggregate legitimate network traffic and avoid Conditional Access policies, with the first vulnerability occurring at least 18 months in advance.
After the initial fix, VerdantBamboo allegedly made a comeback, breached the same organization by using stolen administrative credentials to connect to the firewall, then misused that access to configure SSL VPN web access on the device, connect to other programs, and release additional malware on the Synology Network Attached Storage (NAS) application.
Further investigation has found that the threat actor had compromised the victim organization’s Managed Services Provider (MSP), specifically infecting its MSP’s pfSense firewall with the BSD variant of BRICKSTORM at the same time that the victim’s Storage Synchronization system was also compromised.
The victim is believed to have been compromised due to an MSP violation by a threatening actor. Two families of malware sent to a NAS machine over SSH are as follows –
- PLENET (also known as GRIMBOLT), a cross-platform backdoor built on .NET Core and a new version of BRICKSTORM compiled using native ahead-of-time (AOT) integration. It supports interactive shell, remote command execution, file manipulation, and command and control (C2) server switching.
- AGENTPSD, a Python-based shell that can be used as a backup in case the main installation stops working.
It is worth noting that the use of PLENET in the wild was reported by Google at the beginning of this February in connection with an attack placed by a group suspected of being threatened by China-nexus called UNC6201 that used a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score) from the middle of 10-00 noon.
“VerdantBamboo is a high-risk actor that seeks to develop a combination of off-premise techniques and malware distribution on systems that traditionally do not or cannot use EDR software,” Voexity said.
“This threat actor appears to have a good knowledge of proprietary machines, allowing them to run the malware through customized persistence processes. They also seem to have a security discipline in place that aims to use a limited number of domains and IP addresses per victim and to stop custom naming and persistence on each device.”
