Cybersecurity firm **Volexity** has attributed recent cyber espionage activities to a China-nexus threat cluster it tracks as **VerdantBamboo**. This group has been observed deploying a BSD variant of the known backdoor **BRICKSTORM**, alongside two previously undocumented malware families, **PLENET** (also known as **GRIMBOLT**) and **AGENTPSD**, primarily targeting Linux systems. **VerdantBamboo**'s operations show overlap with other prominent hacking groups, including **Clay Typhoon** (tracked by **Microsoft**), **UNC5221** (**Google**), and **Warp Panda** (**CrowdStrike**). ### Initial Breach via Egnyte Storage Sync **Volexity** first uncovered the intrusion during an incident response engagement in September 2025. The adversary had compromised an unnamed victim's **Egnyte Storage Sync** system by exploiting a local privilege escalation flaw to deploy **BRICKSTORM**. This vulnerability was subsequently addressed in Storage Sync [version 13.13](https://helpdesk.egnyte.com/hc/en-us/articles/43855328739469-Storage-Sync-V-13-13-Miscellaneous-Improvements), released in March 2026. Researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster stated in their technical report: > "The appliance had periodically been accessed by VerdantBamboo via IP addresses assigned through the victim organization's web SSL VPN. The threat actor used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment." These steps were likely taken to blend in with legitimate network traffic and evade Conditional Access policies. The initial compromise is estimated to have occurred at least 18 months prior to discovery. ### Return and MSP Compromise Following initial remediation efforts, **VerdantBamboo** staged a return, breaching the same organization again. This time, they utilized stolen administrative credentials to connect to the firewall, abusing this access to configure web SSL VPN access, connect to other systems, and deploy additional malware to a **Synology Network Attached Storage (NAS)** appliance. Further investigation revealed that the threat actor had also compromised the victim organization's Managed Services Provider (**MSP**). Specifically, the **MSP**'s **pfSense** firewall was infected with a BSD variant of **BRICKSTORM** around the same time the victim's **Storage Sync** system was breached. It is believed that the victim's compromise was a direct result of the **MSP** breach. ### VerdantBamboo's Malware Arsenal The two malware families deployed to the **NAS** appliance over SSH include: * **PLENET** (aka **GRIMBOLT**): A cross-platform backdoor developed in .NET Core and a new version of **BRICKSTORM** compiled using native ahead-of-time (AOT) compilation. It offers interactive shell capabilities, remote command execution, file manipulation, and command-and-control (C2) server switching. * **AGENTPSD**: A Python-based reverse shell that likely serves as a fallback mechanism if the primary implant fails. Notably, the use of **PLENET** in the wild was reported by **Google** earlier this February. It was linked to attacks by another suspected China-nexus threat cluster, **UNC6201**, which exploited a zero-day vulnerability in **Dell RecoverPoint for Virtual Machines** (**CVE-2026-22769**, CVSS score: 10.0) since mid-2024. ### Sophisticated Tactics and Operational Security **Volexity** describes **VerdantBamboo** as a highly sophisticated threat actor: > "VerdantBamboo is a highly sophisticated threat actor that seeks to leverage a combination of living-off-the-land techniques and malware deployment on systems that traditionally do not or cannot run EDR software. This threat actor appears to have good knowledge of proprietary appliances, allowing them to deploy malware with customized persistence mechanisms. They also appear to have operational security discipline aimed at leveraging a limited number of domains and IP addresses per victim and setting up customized implant naming and persistence on a per-device basis." This campaign underscores the persistent threat posed by state-sponsored groups and their evolving methods to compromise critical infrastructure and supply chains through **MSP**s and specialized appliances.