China’s VerdantBamboo Exploits Third-Party Vulnerabilities in 18-Month Network Breach, Deploys Multiple Malware Variants
In a notable cybersecurity incident, the Chinese state-sponsored group VerdantBamboo infiltrated a corporate network for an extensive period of 18 months. The breach originated from a managed service provider (MSP) adjacent to the targeted organization, highlighting significant vulnerabilities in third-party service relationships and the urgent need for enhanced cybersecurity protocols.
Discovery of the Intrusion
The intrusion was uncovered following the detection of unusual outbound connections from a Linux appliance. Researchers from Volexity documented a multi-stage attack campaign attributed to VerdantBamboo, also known as WARP PANDA and UNC5221 by other cybersecurity entities. The campaign initiated with a compromised file synchronization appliance and expanded through the breached MSP, leading to three separate re-entry attempts that exploited various infrastructure components lacking sufficient endpoint detection coverage.
A File Sync Box No One Was Watching
In September 2025, Volexity was engaged after a customer reported suspicious outbound traffic from a Linux virtual machine utilizing Egnyte Storage Sync, designed for synchronizing on-premise files with cloud storage. Instead of connecting to legitimate Egnyte servers, the appliance established encrypted TLS connections to a domain controlled by the threat actor, masked behind Cloudflare IP addresses. Additionally, it queried Google’s public DNS server using DNS over HTTPS, a method that disguises DNS lookups as standard HTTPS traffic, effectively circumventing DNS-based network monitoring.
Forensic analysis revealed two backdoors within the appliance. The primary implant, identified as BRICKSTORM, is a Golang-based remote access trojan previously documented by CISA, Google Cloud, and NVISO in relation to Ivanti zero-day exploitation campaigns. The secondary implant, an undocumented Python reverse shell dubbed AGENTPSD, was packaged as a native binary using PyInstaller and configured for monthly execution as a fallback should BRICKSTORM become unavailable. Both backdoors had been present on the system for at least 18 months prior to their discovery.
VerdantBamboo’s initial access was achieved through the appliance’s default service account, accessed via SSH using credentials obtained from the organization’s MSP. A misconfigured sudo rule inadvertently allowed the attacker to escalate privileges, enabling the installation of BRICKSTORM and the creation of a cron job for persistent execution. This misconfiguration was subsequently reported to Egnyte, which addressed it in Storage Sync version 13.13.
The MSP Was Already Compromised
As researchers investigated further into the supply chain of the breach, their focus shifted to the MSP managing the victim organization’s systems. The MSP’s pfSense firewall, an open-source firewall running on FreeBSD, had been compromised by multiple threat actors. This included web shells, cryptocurrency miners, and a BRICKSTORM implant disguised as a file named “blacklist” in the IPsec directory, which had also been operational for at least 18 months.
Volexity assessed with medium confidence that the victim organization was initially compromised through VerdantBamboo’s prior breach of the MSP. The attacker leveraged MSP-held administrative credentials and infrastructure access as the initial foothold into the primary target’s environment.
Three Evictions, Three Re-entries
The operational persistence demonstrated by VerdantBamboo post-discovery is particularly significant. Within days of the Storage Sync appliance and SSL VPN being taken offline, the organization’s Synology NAS device began beaconing to the same command-and-control (C2) domain associated with the Storage Sync server.
The re-entry occurred when the MSP retired the SSL VPN device during remediation, inadvertently exposing the organization’s firewall directly to the internet. VerdantBamboo exploited this vulnerability by connecting to the administrative interface using stolen credentials that lacked multi-factor authentication. The attacker configured a new SSL VPN network on the firewall, allowing them to pivot back into the internal network.
From this position, the attacker accessed the Synology NAS via SSH and deployed a third previously undocumented malware family, tracked by Volexity as PLENET. This .NET Core backdoor was compiled to native code using the Native AOT framework introduced in .NET 7, which Google Cloud independently tracked under the name GRIMBOLT.
Researchers also found that VerdantBamboo had validated administrative credentials for the organization’s VMware vCenter infrastructure through web-based logins. However, they did not deploy malware on ESXi or vCenter systems during this incident, despite public reports indicating that ESXi persistence is a typical behavior for this group.
The Technique That Made All of This Work
Throughout the operation, VerdantBamboo consistently utilized compromised devices to proxy connections into the victim organization’s Microsoft 365 environment. By routing M365 access through the organization’s own SSL VPN IP address space, the attacker’s logins appeared to originate from trusted internal infrastructure, circumventing Conditional Access policies designed to block external access. These policies in Microsoft Entra ID allow organizations to restrict cloud access by device, location, or network; however, VerdantBamboo rendered these controls ineffective by making its traffic appear internal.
The attack surface exploited by VerdantBamboo included the Egnyte appliance, the pfSense firewall, and the Synology NAS, all of which shared a critical characteristic: none supported endpoint detection and response (EDR) software. BRICKSTORM, PLENET, and AGENTPSD were deployed on infrastructure that remained outside the EDR visibility layer, which is typically considered the primary detection surface by most security teams.
VerdantBamboo did not breach this organization through a zero-day exploit on a managed Windows endpoint. Instead, it exploited blind spots—devices administered via web interface and SSH, lacking agents, behavioral monitoring, and multi-factor authentication on their administrative accounts.
Researchers recommend enforcing multi-factor authentication on all administrative accounts without exception, including those managing firewalls and network appliances. They also advise auditing sudo configurations on Linux appliances for inadvertent privilege escalation paths, ensuring that network appliances are never directly exposed to the internet following remediation, and extending network monitoring coverage to all devices capable of making outbound connections, regardless of EDR agent support.
For ongoing coverage and breaking updates, visit our Latest News section.
Published on 2026-06-06 09:36:00 • By the Editorial Desk
