News and Analysis

A Chinese state-linked hacking group has been quietly living inside corporate networks for well over a year, using a custom malware toolkit to compromise firewalls, storage systems, and network appliances without ever tripping an alarm.

The group, tracked as VerdantBamboo, has shown a level of patience and technical precision that sets it apart from most threat actors operating today.

The campaign came to light after suspicious network traffic was spotted coming from a Linux-based virtual machine on a customer’s network.

The device was an Egnyte Storage Sync appliance, designed to sync local files to the cloud.

Instead of connecting to Egnyte’s own infrastructure, it was quietly beaconing out to a domain controlled by the attackers, hiding behind Cloudflare IP addresses and using Google’s public DNS server at 8.8.8.8 to resolve queries over HTTPS, a technique that neatly disguised the malicious traffic.

Analysts at Volexity, a threat intelligence and incident response firm, identified the malware implant responsible for the activity as BRICKSTORM, a remote access trojan the group has been actively evolving. 

Volexity said in a report shared with Cyber Security News (CSN) that VerdantBamboo, also tracked as WARP PANDA and UNC5221, had maintained access to the victim network for at least 18 months before being discovered.

The attack turned out to be far more layered than it first appeared. VerdantBamboo had not only compromised the victim’s own systems but had also breached the organization’s Managed Services Provider.

From there, it gained access to credentials and internal infrastructure details that gave it a foothold into the victim environment through a path that bypassed standard security controls entirely.

What makes this intrusion especially notable is how VerdantBamboo re-entered the network even after being evicted.

Once the compromised appliances were taken offline, the attackers used stolen admin credentials to log into the victim’s exposed firewall, set up their own VPN tunnel, and pushed a new backdoor onto a Synology NAS device. The attack chain showed a resilience and adaptability that made recovery a significant challenge.

Chinese APT VerdantBamboo Uses BRICKSTORM Malware

BRICKSTORM is VerdantBamboo’s primary tool for maintaining control over compromised systems, and it has been deliberately crafted to thrive in environments where traditional security monitoring tools are absent.

The malware is built in Golang with a modular architecture, and its functionality is divided into separate packages that allow developers to customize each deployment for the specific target device.

On the Egnyte appliance, BRICKSTORM was placed in the /usr/sbin/ directory and launched manually by the threat actor each time it was needed, exploiting a misconfigured sudo rule to gain elevated privileges.

Modified cron file (Source – Volexity)

The same malware was found on the MSP’s pfSense firewall in a FreeBSD-compatible variant, obfuscated with a tool called gobfuscate and set to run automatically through a modified cron startup file.

Alongside BRICKSTORM, Volexity also identified two previously undocumented malware families: PLENET, a cross-platform backdoor compiled from .NET Core using Native AOT to make analysis harder, and AGENTPSD, a lightweight Python reverse shell designed as a fallback if BRICKSTORM stopped working.

Infrastructure Takedown and Detection Guidance

Volexity tracked VerdantBamboo’s command-and-control servers using a fingerprinting query on the Censys platform, identifying hosts running minimal services on port 443 with Cloudflare certificates and OpenBSD-based SSH clients.

Within days of that fingerprint being developed in September 2025, all the matching servers went dark, suggesting the threat actor had become aware of the investigation and shifted tactics to avoid detection.

The local privilege escalation flaw in the Egnyte Storage Sync system was reported to Egnyte and patched in Storage Sync v13.13.

Organizations running edge appliances, including firewalls, NAS devices, and storage sync systems, should ensure these systems are never directly accessible from the internet without MFA protections in place.

Accounts with sudo privileges should be audited for unintended permission chains. Systems that cannot run EDR agents need compensating controls such as network traffic monitoring, file integrity checking, and strict access policies to detect the quiet, long-term compromise that VerdantBamboo specializes in.

Indicators of Compromise (IoCs):-

TypeIndicatorDescriptionFile Nameegnyte_host_monitor_clientAGENTPSD malware binary (ELF Executable, 6.4MB)MD598ee964edeb5a988c3bba8ea1e57fe0eAGENTPSD sample hashSHA1e952c18272efa1c3d73d0a5381bcf443c02743feAGENTPSD sample hashSHA256ee41e06ed96182ce80cd4544a6abd5d7719c4a5c0e5ddb266a83842d39b99b0aAGENTPSD sample hashFile Nameluserput (sbin)BRICKSTORM malware binary on Egnyte Storage Sync (ELF Executable, 5.6MB)MD558d4eccc982c9e9b1b98aa62c514e53aBRICKSTORM (Egnyte) sample hashSHA1f4d77958a12a0778283d3e679b24b18f82e332c4BRICKSTORM (Egnyte) sample hashSHA25640d264cf9c73923932c3dfd52d20f46ff602be3fea8dc6ecc71aca46e6067bf5BRICKSTORM (Egnyte) sample hashFile NameblacklistBRICKSTORM FreeBSD variant on MSP pfSense firewall (ELF Executable, 5.6MB)MD584ad78b2bab946c3677fdc28ebd8a774BRICKSTORM (pfSense) sample hashSHA1681075027553546c119ec447eb8df84633dcffceBRICKSTORM (pfSense) sample hashSHA256f70abe93112637d3ec2f6c5e058ccac0307ebf63e496f38588cbfc17a8f8a264BRICKSTORM (pfSense) sample hashFile Nameovs-dbctlPLENET malware binary on Synology NAS (ELF Executable, 2.5MB)MD595dc2289427ed29b8b996d0e3d1b78cbPLENET sample hashSHA1f8d93c1769e877aae7e7d5c289a467b5ae371c7aPLENET sample hashSHA256eb141a43958802727a6c813452450c10b92704bea4474ee5fd87c0a1be326e2ePLENET sample hashIP Address8.8.8.8Google public DNS server used by BRICKSTORM for DNS-over-HTTPS C2 resolutionFile Path/usr/sbin/Directory where BRICKSTORM was written on the Egnyte Storage Sync systemFile Path/usr/local/libexec/ipsec/blacklistFull path of BRICKSTORM implant on MSP pfSense firewallFile Path/usr/local/bin/egnyte/egnyte_host_monitor_clientFull path of AGENTPSD fallback binary on Egnyte systemFile Path/etc/cron.d/ssyncCron entry created by VerdantBamboo to execute BRICKSTORMFile Path/etc/crontabModified by VerdantBamboo to schedule AGENTPSD executionFile Path/etc/rc.d/cronModified by VerdantBamboo on pfSense to persist BRICKSTORMCensys Fingerprintbanner_hash_sha256: e28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0Censys query hash used to fingerprint BRICKSTORM C2 servers

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances appeared first on Cyber Security News.