Published on June 5, 2026
Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances
Severity
Medium
Detail
Researchers have uncovered a long-running cyber espionage campaign conducted by the Chinese state-linked threat group VerdantBamboo (also known as WARP PANDA and UNC5221). The group maintained undetected access to a victim environment for at least 18 months, targeting network appliances, storage systems, and firewalls using custom malware designed to evade traditional security monitoring.
The operation highlights the growing focus on edge devices and infrastructure systems that often lack endpoint detection capabilities, making them attractive targets for persistent threat actors.
How?
The intrusion was discovered after an Egnyte Storage Sync appliance was observed communicating with attacker-controlled infrastructure disguised behind Cloudflare services and using DNS-over-HTTPS through Google’s public DNS servers to blend malicious traffic with legitimate activity.
Investigation revealed that VerdantBamboo had compromised both the victim organization and its Managed Services Provider (MSP), allowing the attackers to obtain credentials and infrastructure knowledge that enabled access through trusted pathways. This approach helped bypass standard security controls and maintain long-term persistence.
The group’s primary malware, BRICKSTORM, was deployed on compromised appliances and used to maintain remote access. Built in Golang with a modular design, the malware supports customized deployments across different operating systems and network devices. On the Egnyte appliance, the attackers exploited a misconfigured sudo rule to gain elevated privileges, while a separate FreeBSD variant was deployed on a pfSense firewall and configured to run automatically.
Researchers also identified two additional malware families:
PLENET – A cross-platform .NET-based backdoor compiled using Native AOT to complicate analysis.
AGENTPSD – A lightweight Python reverse shell used as a backup access mechanism.
Even after defenders removed the initial compromises, the attackers regained access using stolen administrator credentials. They logged into an exposed firewall, established their own VPN connection, and deployed a new backdoor onto a Synology NAS device, demonstrating significant persistence and operational resilience.
Conclusion
The VerdantBamboo campaign demonstrates how advanced threat actors can leverage compromised service providers, stolen credentials, and unmanaged edge devices to maintain covert access for extended periods. The group’s ability to regain access after remediation efforts highlights the importance of addressing the full attack chain rather than focusing solely on infected systems.
Organizations should secure internet-facing appliances with MFA, audit privileged accounts and sudo configurations, monitor network traffic for unusual outbound connections, and implement compensating controls such as file integrity monitoring and network-based detection on systems where EDR solutions cannot be deployed. Regular reviews of MSP access and third-party trust relationships are also critical to reducing exposure to similar threats.
Source
https://cybersecuritynews.com/chinese-apt-verdantbamboo-uses-brickstorm-malware/