Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise
A Chinese state-linked hacking group has maintained an undetected presence within corporate networks for more than a year. The attackers deployed a custom malware toolkit to compromise firewalls,...
A Chinese state-linked hacking group has maintained an undetected presence within corporate networks for more than a year. The attackers deployed a custom malware toolkit to compromise firewalls, storage systems, and other network appliances without ever triggering an alarm.
The group, tracked as VerdantBamboo, has shown a level of patience and technical precision that sets it apart from most threat actors operating today.
The campaign came to light after suspicious network traffic was spotted coming from a Linux-based virtual machine on a customer’s network.
The device was an Egnyte Storage Sync appliance, designed to sync local files to the cloud.
Instead of connecting to Egnyte’s own infrastructure, it was quietly beaconing out to a domain controlled by the attackers, hiding behind Cloudflare IP addresses and using Google’s public DNS server at 8.8.8.8 to resolve queries over HTTPS, a technique that neatly disguised the malicious traffic.
Analysts at Volexity, a threat intelligence and incident response firm, identified the malware implant responsible for the activity as BRICKSTORM, a remote access trojan the group has been actively evolving.
Volexity said in a report shared with Cyber Security News (CSN) that VerdantBamboo, also tracked as WARP PANDA and UNC5221, had maintained access to the victim network for at least 18 months before being discovered.
The attack turned out to be far more layered than it first appeared. VerdantBamboo had not only compromised the victim’s own systems but had also breached the organization’s Managed Services Provider.
From there, it gained access to credentials and internal infrastructure details that gave it a foothold into the victim environment through a path that bypassed standard security controls entirely.
What makes this intrusion especially notable is how VerdantBamboo re-entered the network even after being evicted.
Once the compromised appliances were taken offline, the attackers used stolen admin credentials to log into the victim’s exposed firewall, set up their own VPN tunnel, and pushed a new backdoor onto a Synology NAS device. The attack chain showed a resilience and adaptability that made recovery a significant challenge.
Chinese APT VerdantBamboo Uses BRICKSTORM Malware
BRICKSTORM is VerdantBamboo’s primary tool for maintaining control over compromised systems, and it has been deliberately crafted to thrive in environments where traditional security monitoring tools are absent.
The malware is built in Golang with a modular architecture, and its functionality is divided into separate packages that allow developers to customize each deployment for the specific target device.
On the Egnyte appliance, BRICKSTORM was placed in the /usr/sbin/ directory and launched manually by the threat actor each time it was needed, exploiting a misconfigured sudo rule to gain elevated privileges.
The same malware was found on the MSP’s pfSense firewall in a FreeBSD-compatible variant, obfuscated with a tool called gobfuscate and set to run automatically through a modified cron startup file.
Alongside BRICKSTORM, Volexity also identified two previously undocumented malware families: PLENET, a cross-platform backdoor compiled from .NET Core using Native AOT to make analysis harder, and AGENTPSD, a lightweight Python reverse shell designed as a fallback if BRICKSTORM stopped working.
Infrastructure Takedown and Detection Guidance
Volexity tracked VerdantBamboo’s command-and-control servers using a fingerprinting query on the Censys platform, identifying hosts running minimal services on port 443 with Cloudflare certificates and OpenBSD-based SSH clients.
Within days of that fingerprint being developed in September 2025, all the matching servers went dark, suggesting the threat actor had become aware of the investigation and shifted tactics to avoid detection.
The local privilege escalation flaw in the Egnyte Storage Sync system was reported to Egnyte and patched in Storage Sync v13.13.
Organizations running edge appliances, including firewalls, NAS devices, and storage sync systems, should ensure these systems are never directly accessible from the internet without MFA protections in place.
Accounts with sudo privileges should be audited for unintended permission chains. Systems that cannot run EDR agents need compensating controls such as network traffic monitoring, file integrity checking, and strict access policies to detect the quiet, long-term compromise that VerdantBamboo specializes in.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Name | egnyte_host_monitor_client | AGENTPSD malware binary (ELF Executable, 6.4MB) |
| MD5 | 98ee964edeb5a988c3bba8ea1e57fe0e | AGENTPSD sample hash |
| SHA1 | e952c18272efa1c3d73d0a5381bcf443c02743fe | AGENTPSD sample hash |
| SHA256 | ee41e06ed96182ce80cd4544a6abd5d7719c4a5c0e5ddb266a83842d39b99b0a | AGENTPSD sample hash |
| File Name | luserput (sbin) | BRICKSTORM malware binary on Egnyte Storage Sync (ELF Executable, 5.6MB) |
| MD5 | 58d4eccc982c9e9b1b98aa62c514e53a | BRICKSTORM (Egnyte) sample hash |
| SHA1 | f4d77958a12a0778283d3e679b24b18f82e332c4 | BRICKSTORM (Egnyte) sample hash |
| SHA256 | 40d264cf9c73923932c3dfd52d20f46ff602be3fea8dc6ecc71aca46e6067bf5 | BRICKSTORM (Egnyte) sample hash |
| File Name | blacklist | BRICKSTORM FreeBSD variant on MSP pfSense firewall (ELF Executable, 5.6MB) |
| MD5 | 84ad78b2bab946c3677fdc28ebd8a774 | BRICKSTORM (pfSense) sample hash |
| SHA1 | 681075027553546c119ec447eb8df84633dcffce | BRICKSTORM (pfSense) sample hash |
| SHA256 | f70abe93112637d3ec2f6c5e058ccac0307ebf63e496f38588cbfc17a8f8a264 | BRICKSTORM (pfSense) sample hash |
| File Name | ovs-dbctl | PLENET malware binary on Synology NAS (ELF Executable, 2.5MB) |
| MD5 | 95dc2289427ed29b8b996d0e3d1b78cb | PLENET sample hash |
| SHA1 | f8d93c1769e877aae7e7d5c289a467b5ae371c7a | PLENET sample hash |
| SHA256 | eb141a43958802727a6c813452450c10b92704bea4474ee5fd87c0a1be326e2e | PLENET sample hash |
| IP Address | 8.8.8.8 | Google public DNS server used by BRICKSTORM for DNS-over-HTTPS C2 resolution |
| File Path | /usr/sbin/ | Directory where BRICKSTORM was written on the Egnyte Storage Sync system |
| File Path | /usr/local/libexec/ipsec/blacklist | Full path of BRICKSTORM implant on MSP pfSense firewall |
| File Path | /usr/local/bin/egnyte/egnyte_host_monitor_client | Full path of AGENTPSD fallback binary on Egnyte system |
| File Path | /etc/cron.d/ssync | Cron entry created by VerdantBamboo to execute BRICKSTORM |
| File Path | /etc/crontab | Modified by VerdantBamboo to schedule AGENTPSD execution |
| File Path | /etc/rc.d/cron | Modified by VerdantBamboo on pfSense to persist BRICKSTORM |
| Censys Fingerprint | banner_hash_sha256: e28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0 | Censys query hash used to fingerprint BRICKSTORM C2 servers |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.