Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances - CyberSecurityNews

HomeCyber Security News Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances By Tushar Subhra Dutta June 5, 2026 A Chinese state-linked hacking group has been quietly living inside corporate networks for well over a year, using a custom malware toolkit to compromise firewalls, storage systems, and network appliances without ever tripping an alarm. The group, tracked as VerdantBamboo, has shown a level of patience and technical precision that sets it apart from most threat actors operating today. The campaign came to light after suspicious network traffic was spotted coming from a Linux-based virtual machine on a customer’s network. The device was an Egnyte Storage Sync appliance, designed to sync local files to the cloud. Instead of connecting to Egnyte’s own infrastructure, it was quietly beaconing out to a domain controlled by the attackers, hiding behind Cloudflare IP addresses and using Google’s public DNS server at 8.8.8.8 to resolve queries over HTTPS, a technique that neatly disguised the malicious traffic. Analysts at Volexity, a threat intelligence and incident response firm, identified the malware implant responsible for the activity as BRICKSTORM, a remote access trojan the group has been actively evolving.  Volexity said in a report shared with Cyber Security News (CSN) that VerdantBamboo, also tracked as WARP PANDA and UNC5221, had maintained access to the victim network for at least 18 months before being discovered. The attack turned out to be far more layered than it first appeared. VerdantBamboo had not only compromised the victim’s own systems but had also breached the organization’s Managed Services Provider. From there, it gained access to credentials and internal infrastructure details that gave it a foothold into the victim environment through a path that bypassed standard security controls entirely. What makes this intrusion especially notable is how VerdantBamboo re-entered the network even after being evicted. Once the compromised appliances were taken offline, the attackers used stolen admin credentials to log into the victim’s exposed firewall, set up their own VPN tunnel, and pushed a new backdoor onto a Synology NAS device. The attack chain showed a resilience and adaptability that made recovery a significant challenge. Chinese APT VerdantBamboo Uses BRICKSTORM Malware BRICKSTORM is VerdantBamboo’s primary tool for maintaining control over compromised systems, and it has been deliberately crafted to thrive in environments where traditional security monitoring tools are absent. The malware is built in Golang with a modular architecture, and its functionality is divided into separate packages that allow developers to customize each deployment for the specific target device. On the Egnyte appliance, BRICKSTORM was placed in the /usr/sbin/ directory and launched manually by the threat actor each time it was needed, exploiting a misconfigured sudo rule to gain elevated privileges. Modified cron file (Source – Volexity) The same malware was found on the MSP’s pfSense firewall in a FreeBSD-compatible variant, obfuscated with a tool called gobfuscate and set to run automatically through a modified cron startup file. Alongside BRICKSTORM, Volexity also identified two previously undocumented malware families: PLENET, a cross-platform backdoor compiled from .NET Core using Native AOT to make analysis harder, and AGENTPSD, a lightweight Python reverse shell designed as a fallback if BRICKSTORM stopped working. Infrastructure Takedown and Detection Guidance Volexity tracked VerdantBamboo’s command-and-control servers using a fingerprinting query on the Censys platform, identifying hosts running minimal services on port 443 with Cloudflare certificates and OpenBSD-based SSH clients. Within days of that fingerprint being developed in September 2025, all the matching servers went dark, suggesting the threat actor had become aware of the investigation and shifted tactics to avoid detection. The local privilege escalation flaw in the Egnyte Storage Sync system was reported to Egnyte and patched in Storage Sync v13.13. Organizations running edge appliances, including firewalls, NAS devices, and storage sync systems, should ensure these systems are never directly accessible from the internet without MFA protections in place. Accounts with sudo privileges should be audited for unintended permission chains. Systems that cannot run EDR agents need compensating controls such as network traffic monitoring, file integrity checking, and strict access policies to detect the quiet, long-term compromise that VerdantBamboo specializes in. Indicators of Compromise (IoCs):- Type Indicator Description File Name egnyte_host_monitor_client AGENTPSD malware binary (ELF Executable, 6.4MB) MD5 98ee964edeb5a988c3bba8ea1e57fe0e AGENTPSD sample hash SHA1 e952c18272efa1c3d73d0a5381bcf443c02743fe AGENTPSD sample hash SHA256 ee41e06ed96182ce80cd4544a6abd5d7719c4a5c0e5ddb266a83842d39b99b0a AGENTPSD sample hash File Name luserput (sbin) BRICKSTORM malware binary on Egnyte Storage Sync (ELF Executable, 5.6MB) MD5 58d4eccc982c9e9b1b98aa62c514e53a BRICKSTORM (Egnyte) sample hash SHA1 f4d77958a12a0778283d3e679b24b18f82e332c4 BRICKSTORM (Egnyte) sample hash SHA256 40d264cf9c73923932c3dfd52d20f46ff602be3fea8dc6ecc71aca46e6067bf5 BRICKSTORM (Egnyte) sample hash File Name blacklist BRICKSTORM FreeBSD variant on MSP pfSense firewall (ELF Executable, 5.6MB) MD5 84ad78b2bab946c3677fdc28ebd8a774 BRICKSTORM (pfSense) sample hash SHA1 681075027553546c119ec447eb8df84633dcffce BRICKSTORM (pfSense) sample hash SHA256 f70abe93112637d3ec2f6c5e058ccac0307ebf63e496f38588cbfc17a8f8a264 BRICKSTORM (pfSense) sample hash File Name ovs-dbctl PLENET malware binary on Synology NAS (ELF Executable, 2.5MB) MD5 95dc2289427ed29b8b996d0e3d1b78cb PLENET sample hash SHA1 f8d93c1769e877aae7e7d5c289a467b5ae371c7a PLENET sample hash SHA256 eb141a43958802727a6c813452450c10b92704bea4474ee5fd87c0a1be326e2e PLENET sample hash IP Address 8.8.8.8 Google public DNS server used by BRICKSTORM for DNS-over-HTTPS C2 resolution File Path /usr/sbin/ Directory where BRICKSTORM was written on the Egnyte Storage Sync system File Path /usr/local/libexec/ipsec/blacklist Full path of BRICKSTORM implant on MSP pfSense firewall File Path /usr/local/bin/egnyte/egnyte_host_monitor_client Full path of AGENTPSD fallback binary on Egnyte system File Path /etc/cron.d/ssync Cron entry created by VerdantBamboo to execute BRICKSTORM File Path /etc/crontab Modified by VerdantBamboo to schedule AGENTPSD execution File Path /etc/rc.d/cron Modified by VerdantBamboo on pfSense to persist BRICKSTORM Censys Fingerprint banner_hash_sha256: e28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0 Censys query hash used to fingerprint BRICKSTORM C2 servers Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News CISA and Partners Warns of Cyberattacks Targeting U.S.-based Automatic Tank Gauge Systems Dashlane Password Manager User Accounts Locked Following Brute-Force Attacks Proofpoint Warns TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT PHANTOMPULSE RAT Uses Process Injection and UAC Bypass to Compromise Windows Systems TP-Link Router Vulnerability Allows Attackers to Execute Arbitrary System Commands Latest News Cyber Security Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers Cyber Security News CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks Cyber Security New ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Attacks Cyber Security Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies Cyber Security News CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks