INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
VerdantBamboo Deploys BSD Variant of BRICKSTORM
| 2026-06-08 10:27 LOW HIGHExecutive Summary AI-generated
The China-nexus cyber espionage group has been observed deploying a BSD variant of the known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET and AGENTPSD to target Linux systems. This malicious activity is attributed to VerdantBamboo, a threat cluster that overlaps with hacking groups such as Clay Typhoon, UNC5221, and Warp Panda. The group's use of interactive shell, remote command execution, file manipulation, and command-and-control server switching capabilities makes it a significant threat to organizations worldwide.
Technical Mitigations AI-generated
• Implement a secure patching and updating strategy for Linux systems to prevent exploitation of local privilege escalation flaws.
• Use IP address management best practices, such as using virtual private networks (VPNs) or domain name system (DNS) filtering, to limit exposure to VerdantBamboo's proxying capabilities.
• Conduct regular security audits and vulnerability assessments on Linux appliances to identify potential entry points for malware deployment.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
BRICKSTORMBRICKSTORM
CVE-2026-22769CVE-2026-22769
Target & Sectors
Global Scope
Incident Timeline
mid-2024
Threat actors used a BSD variant of BRICKSTORM to deploy an agent on Linux appliances.
Click on any entity below to view its context and source!
source_region
China
It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
AGENTPSD, a Python-based reverse shell that likely functions as a fallback in case the primary implant ceases to function
It's worth noting that the use of PLENET in the wild was reported by Google earlier this February in connection with attacks mounted by a suspected China-nexus threat cluster dubbed UNC6201 that exploited a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024.
vulnerability
CVE-2026-22769
It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
AGENTPSD, a Python-based reverse shell that likely functions as a fallback in case the primary implant ceases to function
It's worth noting that the use of PLENET in the wild was reported by Google earlier this February in connection with attacks mounted by a suspected China-nexus threat cluster dubbed UNC6201 that exploited a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024.
tactic
T1059.006 - Python
It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
AGENTPSD, a Python-based reverse shell that likely functions as a fallback in case the primary implant ceases to function
It's worth noting that the use of PLENET in the wild was reported by Google earlier this February in connection with attacks mounted by a suspected China-nexus threat cluster dubbed UNC6201 that exploited a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024.
organisation
Virtual Machines
It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
AGENTPSD, a Python-based reverse shell that likely functions as a fallback in case the primary implant ceases to function
It's worth noting that the use of PLENET in the wild was reported by Google earlier this February in connection with attacks mounted by a suspected China-nexus threat cluster dubbed UNC6201 that exploited a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024.
organisation
CVSS
It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
AGENTPSD, a Python-based reverse shell that likely functions as a fallback in case the primary implant ceases to function
It's worth noting that the use of PLENET in the wild was reported by Google earlier this February in connection with attacks mounted by a suspected China-nexus threat cluster dubbed UNC6201 that exploited a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024.
September 2025
The threat actors used a BSD variant of BRICKSTORM to deploy on compromised Linux appliances.
Click on any entity below to view its context and source!
malware
BRICKSTORM
The cybersecurity company said it discovered the intrusion during an incident response engagement in September 2025, when it emerged that the adversary had compromised an unnamed victim's Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM.
tactic
Privilege Escalation
The cybersecurity company said it discovered the intrusion during an incident response engagement in September 2025, when it emerged that the adversary had compromised an unnamed victim's Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM.
organisation
Egnyte Storage Sync
The cybersecurity company said it discovered the intrusion during an incident response engagement in September 2025, when it emerged that the adversary had compromised an unnamed victim's Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM.
March 2026
VerdantBamboo used the BSD variant of BRICKSTORM malware to breach a NAS appliance over SSH.
Click on any entity below to view its context and source!
infrastructure
13.13
The issue was addressed in Storage Sync
version 13.13
, released in March 2026.
organisation
Storage Sync
The issue was addressed in Storage Sync
version 13.13
, released in March 2026.
general_metric
13.13 Sync version
The issue was addressed in Storage Sync
version 13.13
, released in March 2026.
organisation
Managed Services Provider
Further investigation has since uncovered that the threat actor had in fact compromised the victim organization's Managed Services Provider (MSP), specifically infecting its MSP's pfSense firewall with a BSD variant of BRICKSTORM around the same time the victim's Storage Sync system was also breached.
organisation
MSP
Further investigation has since uncovered that the threat actor had in fact compromised the victim organization's Managed Services Provider (MSP), specifically infecting its MSP's pfSense firewall with a BSD variant of BRICKSTORM around the same time the victim's Storage Sync system was also breached.
organisation
SSH
The two malware families deployed to the NAS appliance over SSH are as follows -
PLENET (aka GRIMBOLT), a cross-platform backdoor developed in .NET Core and a new version of BRICKSTORM compiled using native ahead-of-time (AOT) compilation.
organisation
AOT
The two malware families deployed to the NAS appliance over SSH are as follows -
PLENET (aka GRIMBOLT), a cross-platform backdoor developed in .NET Core and a new version of BRICKSTORM compiled using native ahead-of-time (AOT) compilation.
organisation
Microsoft 365
"The threat actor used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment.
organisation
Conditional Access
"
It's assessed that these steps were undertaken to blend in with legitimate network traffic and evade Conditional Access policies, with the initial compromise occurring at least 18 months before.
organisation
a Synology Network Attached Storage
Following the initial remediation, VerdantBamboo is said to have staged a return, breaching the same organization by using stolen administrative credentials to connect to the firewall, and then abusing that access to configure web SSL VPN access to the device, connect to other systems, and deploy additional malware to a Synology Network Attached Storage (NAS) appliance.
organisation
NAS
Following the initial remediation, VerdantBamboo is said to have staged a return, breaching the same organization by using stolen administrative credentials to connect to the firewall, and then abusing that access to configure web SSL VPN access to the device, connect to other systems, and deploy additional malware to a Synology Network Attached Storage (NAS) appliance.
organisation
EDR
"VerdantBamboo is a highly sophisticated threat actor that seeks to leverage a combination of living-off-the-land techniques and malware deployment on systems that traditionally do not or cannot run EDR software," Volexity said.
2026/06/01
Threat actors used IP addresses assigned through the victim organization's web SSL VPN to target VerdantBamboo on Linux appliances.
Click on any entity below to view its context and source!
organisation
IP
"The appliance had periodically been accessed by VerdantBamboo via IP addresses assigned through the victim organization's web SSL VPN," researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster said in a technical report published last week.
organisation
SSL VPN
"The appliance had periodically been accessed by VerdantBamboo via IP addresses assigned through the victim organization's web SSL VPN," researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster said in a technical report published last week.
Jun 08, 2026
The China-nexus cyber espionage group deployed a BSD variant of BRICKSTORM, PLENET and AGENTPSD malware to target Linux systems.
Click on any entity below to view its context and source!
infrastructure
Linux
Cyber Espionage / Malware
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka
GRIMBOLT
) and AGENTPSD to target Linux systems.
organisation
Cyber Espionage /
Cyber Espionage / Malware
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka
GRIMBOLT
) and AGENTPSD to target Linux systems.
organisation
BSD
Cyber Espionage / Malware
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka
GRIMBOLT
) and AGENTPSD to target Linux systems.
organisation
PLENET
Cyber Espionage / Malware
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka
GRIMBOLT
) and AGENTPSD to target Linux systems.
organisation
GRIMBOLT
Cyber Espionage / Malware
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka
GRIMBOLT
) and AGENTPSD to target Linux systems.
organisation
AGENTPSD
Cyber Espionage / Malware
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka
GRIMBOLT
) and AGENTPSD to target Linux systems.
organisation
Volexity
The activity has been attributed by Volexity to a threat cluster it tracks as
VerdantBamboo
, which it said
overlaps
with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
organisation
VerdantBamboo
The activity has been attributed by Volexity to a threat cluster it tracks as
VerdantBamboo
, which it said
overlaps
with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
organisation
Microsoft
The activity has been attributed by Volexity to a threat cluster it tracks as
VerdantBamboo
, which it said
overlaps
with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
organisation
Google
The activity has been attributed by Volexity to a threat cluster it tracks as
VerdantBamboo
, which it said
overlaps
with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
organisation
CrowdStrike
The activity has been attributed by Volexity to a threat cluster it tracks as
VerdantBamboo
, which it said
overlaps
with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
2026/06/08
Linux systems were compromised by deploying a BSD variant of BRICKSTORM.
Click on any entity below to view its context and source!
infrastructure
Linux
VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances.
Tactical Metrics
Metrics
infrastructure
Linux
Affected Product
Click for context!
Cyber Espionage / Malware
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka
GRIMBOLT
) and AGENTPSD to target Linux systems.
VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances.
Metrics
infrastructure
13.13
Software Version
The issue was addressed in Storage Sync
version 13.13
, released in March 2026.
Metrics
infrastructure
Microsoft 365
Affected Product
"The threat actor used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment.
Intelligence Sources
The Hacker News
2026-06-08
The Hacker News
2026-06-08
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
25x
organisation
Identified Entity
Cyber Espionage /
entity
7x
timeline
Temporal Reference
mid-2024
date
2x
tactic
Cyber Operation Type
Espionage
tactic
2x
infrastructure
Affected Product
Linux
software
2x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
Contextual Telemetry
Context Block
7 METRICS
source region
Origin Country
China
country
malware
Malware Payload
BRICKSTORM
tool
vulnerability
Exploited CVE
CVE-2026-22769
cve
infrastructure
Software Version
13.13
version
general metric
Sync Version
13
sync version
general metric
Microsoft
365
microsoft
general metric
Jun
8
jun
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.