Chinese APT deploys new malware to keep access to hacked networks

Unseen Access: VerdantBamboo's Persistent Campaign Involving Brickstorm, Plenet, and AgentPSD

OverviewIn a sustained espionage operation attributed to a Chinese threat group tracked as UNC5221 (also known as VerdantBamboo), attackers gained long-term footholds inside multiple networks, including Microsoft 365 environments. The operation leveraged the Brickstorm backdoor together with previously undocumented malware families Plenet and AgentPSD to maintain access, move laterally, and harvest data over an extended period. Investigations show the intruders were active for more than a year before breaches were detected, and they also compromised the victim organization’s managed services provider (MSP), complicating containment efforts.

Threat Actors and Malware Families

Primary actor: UNC5221 (VerdantBamboo), a Chinese espionage group with a history of exploiting edge devices and zero-day flaws since 2023.
Core toolset:
Brickstorm: an advanced backdoor deployed across multiple targets in the United States for more than a year. Early variants were written in Golang, later evolving into Rust implementations. Brickstorm communicates via WebSocket for command-and-control (C2) and uses a multiplexing library to handle multiple data streams.
Plenet: a cross-platform .NET-based backdoor that provides interactive shell access, remote command execution, file manipulation, and C2 server switching. It is designed to resemble Brockstorm in its operational model and uses WebSocket-based C2 with multiplexing support.
AgentPSD: a Python-based reverse shell utility used as a fallback persistence mechanism if other malware is inaccessible. It connects to a different domain than Brickstorm, suggesting it served as an alternate route into the network when primary access was blocked.

Key capabilities and design notes

Brickstorm is described by researchers as a sophisticated implant capable of blending with legitimate network traffic to evade detection, including attempts to defeat conditional access policies.
Plenet’s architecture supports interactive sessions and rapid command execution, enabling attackers to pivot and manipulate compromised hosts and services.
AgentPSD appears to function as a secondary, hidden access layer, ensuring continued reach even if Brickstorm instances are taken offline.

Initial Access, Persistence, and Lateral Movement

Initial foothold: VerdantBamboo secured a presence through compromised storage and file-sharing services, enabling repeated access without triggering standard defenses.
Target environment access: Attackers used a combination of stolen credentials, proxying features in Brickstorm, and compromised services to reach Microsoft 365 environments, followed by stealthy exploitation of SSL VPNs and internal systems.
Persistence across layers: After establishing a foothold, the actors deployed Brickstorm to Egnye storage appliances and to a retired Linux GroupWise archive server. They returned days later to re-establish access and introduced Plenet onto networked NAS devices, broadening their reach within the victim’s infrastructure.
Evading defenses: The operators blended traffic with legitimate activity to bypass some detection mechanisms and attempted to disable security controls at various points, including attempts to turn off exposed services on port 443.

New Backdoors and Secondary Access Mechanisms

Plenet (Grimbolt): A cross-platform .NET backdoor enabling an interactive shell, remote commands, and C2 switching. Its WebSocket-based communications and data multiplexing allow coordinated control over multiple infected hosts.
AgentPSD: A Python-based reverse shell tool intended as a contingency path into the network if other malware becomes unavailable. Configured to a distinct domain from Brickstorm, it served as a parallel, persistent access channel.
Infiltration sequence: After re-entering the environment, attackers deployed Plenet to a Synology NAS and used its capabilities to further command and control internal assets. A BSD variant of Brickstorm was also planted on a pfSense firewall, extending the attacker foothold to firewall devices and storage systems.

Victims, Impact, and Observed Tactics

Environment targets: The operation affected several organizations across sectors, including legal services, SaaS providers, business process outsourcers, and technology firms. VMware vSphere servers were specifically flagged by defense authorities as a notable attack surface for Brickstorm deployment.
Data access goals: The campaign focused on stealthy data exfiltration and persistence, with the attackers aiming to blend into normal traffic flows and avoid triggering Conditional Access policies that would have hindered access to critical services.
Post-compromise activity: The threat actors continued to operate within compromised MSP and client environments, indicating a pivot from MSPs to downstream customer networks.

Timeline and Notable Milestones

2023 and 2024: VerdantBamboo/V VerdantBamboo engaged in exploiting edge devices and zero-day vulnerabilities as part of broader campaigns.
April 2024: Google documented UNC5221 activity involving Brickstorm, marking early public acknowledgment of the backdoor’s deployment.
September 2025: Subsequent public reporting highlighted continued Brickstorm activity against multiple organizations, reinforcing the perceived persistence of the threat.
March 2025: Breaches within US targets were detected after more than a year of undetected activity, with investigators noting long dwell times and repeated intrusions.
September 2023–September 2025: Brickstorm-related activity observed in various networks, including attempts to access VMware servers and other critical infrastructure components.

Indicators of Compromise (IOCs) and Artifacts

Brickstorm indicators: WebSocket-based C2 communications, persistence mechanisms across multiple devices, and a pattern of 443-port activity that, at times, went offline when researchers attempted to map the infrastructure.
Plenet artifacts: Cross-platform .NET backdoor with explicit capabilities for interactive shells and C2 switching; often deployed on NAS devices and other network-attached storage appliances.
AgentPSD markers: Python-based reverse shell with domain configurations different from Brickstorm; used as a fallback persistence path in case primary malware instances were removed.
Infected components: Egnyte Storage Sync appliances, pfSense firewall, Synology NAS devices, and older Linux GroupWise archives—all implicated in initial access, pivoting, or data exfiltration stages.
Network behavior: Attempts to blend in with legitimate traffic to bypass access controls, as well as the use of stolen credentials to enable SSL VPN access for internal connectivity.

Observations and Broader Implications

Living-off-the-land techniques: VerdantBamboo blends malware with legitimate network operations to avoid triggering security analytics, illustrating an evolving blend of traditional malware with stealthy, policy-abiding behaviors inside organizations.
Extended dwell times: Dwell times exceeding a year in some cases demonstrate the attackers’ emphasis on long-term access and information gathering rather than rapid disruption.
MSP compromise as a launchpad: Gaining footholds through MSPs underscores the risk of trusted third parties in the modern attack surface and the importance of monitoring inter-organization access patterns.
Multi-stage persistence: The combination of Brickstorm, Plenet, and AgentPSD across diverse devices indicates a multi-layered strategy to maintain access even if one component is discovered and removed.

Concluding Observations

VerdantBamboo’s campaign showcases a sophisticated, multi-tool approach to cyber-espionage, with a focus on stealth, persistence, and cross-platform capabilities.
The use of both a primary backdoor (Brickstorm) and complementary backdoors (Plenet and AgentPSD) provided redundancy, enabling attackers to sustain access across different network segments and devices.
The integration of compromised MSP pathways with internal networks demonstrates a broader shift where supply chain and service-provider relationships become pivotal to intruder success.
As defenses evolve, understanding the lifecycle of such campaigns—spanning initial access, persistence, lateral movement, and multi-device deployment—remains essential to detecting and mitigating similarly staged attacks in the future.

Chinese APT deploys new malware to keep access to hacked networks

Chinese APT UNC5221 (VerdantBamboo) quietly maintained access to multiple networks for at least 18 months, compromising MSPs and then infiltrating Microsoft 365 using the Brickstorm backdoor. The group introduced new malware—Plenet (Grimbolt) for Synology NAS and AgentPSD as a fallback reverse shell—after breaching and pivoting from the MSP into the victim environment, also deploying a BSD Brickstorm variant on pfSense. The operation, spanning 2023–2025 and evolving from Golang to Rust, demonstrates a highly sophisticated, cross‑platform campaign that evades detections; researchers published IOCs to aid defenders.

Unseen Access: VerdantBamboo's Persistent Campaign Involving Brickstorm, Plenet, and AgentPSD

Threat Actors and Malware Families

Primary actor: UNC5221 (VerdantBamboo), a Chinese espionage group with a history of exploiting edge devices and zero-day flaws since 2023.
Core toolset:
Brickstorm: an advanced backdoor deployed across multiple targets in the United States for more than a year. Early variants were written in Golang, later evolving into Rust implementations. Brickstorm communicates via WebSocket for command-and-control (C2) and uses a multiplexing library to handle multiple data streams.
Plenet: a cross-platform .NET-based backdoor that provides interactive shell access, remote command execution, file manipulation, and C2 server switching. It is designed to resemble Brockstorm in its operational model and uses WebSocket-based C2 with multiplexing support.
AgentPSD: a Python-based reverse shell utility used as a fallback persistence mechanism if other malware is inaccessible. It connects to a different domain than Brickstorm, suggesting it served as an alternate route into the network when primary access was blocked.

Key capabilities and design notes

Brickstorm is described by researchers as a sophisticated implant capable of blending with legitimate network traffic to evade detection, including attempts to defeat conditional access policies.
Plenet’s architecture supports interactive sessions and rapid command execution, enabling attackers to pivot and manipulate compromised hosts and services.
AgentPSD appears to function as a secondary, hidden access layer, ensuring continued reach even if Brickstorm instances are taken offline.

Initial Access, Persistence, and Lateral Movement

Initial foothold: VerdantBamboo secured a presence through compromised storage and file-sharing services, enabling repeated access without triggering standard defenses.
Target environment access: Attackers used a combination of stolen credentials, proxying features in Brickstorm, and compromised services to reach Microsoft 365 environments, followed by stealthy exploitation of SSL VPNs and internal systems.
Persistence across layers: After establishing a foothold, the actors deployed Brickstorm to Egnye storage appliances and to a retired Linux GroupWise archive server. They returned days later to re-establish access and introduced Plenet onto networked NAS devices, broadening their reach within the victim’s infrastructure.
Evading defenses: The operators blended traffic with legitimate activity to bypass some detection mechanisms and attempted to disable security controls at various points, including attempts to turn off exposed services on port 443.

New Backdoors and Secondary Access Mechanisms

Plenet (Grimbolt): A cross-platform .NET backdoor enabling an interactive shell, remote commands, and C2 switching. Its WebSocket-based communications and data multiplexing allow coordinated control over multiple infected hosts.
AgentPSD: A Python-based reverse shell tool intended as a contingency path into the network if other malware becomes unavailable. Configured to a distinct domain from Brickstorm, it served as a parallel, persistent access channel.
Infiltration sequence: After re-entering the environment, attackers deployed Plenet to a Synology NAS and used its capabilities to further command and control internal assets. A BSD variant of Brickstorm was also planted on a pfSense firewall, extending the attacker foothold to firewall devices and storage systems.

Victims, Impact, and Observed Tactics

Environment targets: The operation affected several organizations across sectors, including legal services, SaaS providers, business process outsourcers, and technology firms. VMware vSphere servers were specifically flagged by defense authorities as a notable attack surface for Brickstorm deployment.
Data access goals: The campaign focused on stealthy data exfiltration and persistence, with the attackers aiming to blend into normal traffic flows and avoid triggering Conditional Access policies that would have hindered access to critical services.
Post-compromise activity: The threat actors continued to operate within compromised MSP and client environments, indicating a pivot from MSPs to downstream customer networks.

Timeline and Notable Milestones

2023 and 2024: VerdantBamboo/V VerdantBamboo engaged in exploiting edge devices and zero-day vulnerabilities as part of broader campaigns.
April 2024: Google documented UNC5221 activity involving Brickstorm, marking early public acknowledgment of the backdoor’s deployment.
September 2025: Subsequent public reporting highlighted continued Brickstorm activity against multiple organizations, reinforcing the perceived persistence of the threat.
March 2025: Breaches within US targets were detected after more than a year of undetected activity, with investigators noting long dwell times and repeated intrusions.
September 2023–September 2025: Brickstorm-related activity observed in various networks, including attempts to access VMware servers and other critical infrastructure components.

Indicators of Compromise (IOCs) and Artifacts

Brickstorm indicators: WebSocket-based C2 communications, persistence mechanisms across multiple devices, and a pattern of 443-port activity that, at times, went offline when researchers attempted to map the infrastructure.
Plenet artifacts: Cross-platform .NET backdoor with explicit capabilities for interactive shells and C2 switching; often deployed on NAS devices and other network-attached storage appliances.
AgentPSD markers: Python-based reverse shell with domain configurations different from Brickstorm; used as a fallback persistence path in case primary malware instances were removed.
Infected components: Egnyte Storage Sync appliances, pfSense firewall, Synology NAS devices, and older Linux GroupWise archives—all implicated in initial access, pivoting, or data exfiltration stages.
Network behavior: Attempts to blend in with legitimate traffic to bypass access controls, as well as the use of stolen credentials to enable SSL VPN access for internal connectivity.

Observations and Broader Implications

Living-off-the-land techniques: VerdantBamboo blends malware with legitimate network operations to avoid triggering security analytics, illustrating an evolving blend of traditional malware with stealthy, policy-abiding behaviors inside organizations.
Extended dwell times: Dwell times exceeding a year in some cases demonstrate the attackers’ emphasis on long-term access and information gathering rather than rapid disruption.
MSP compromise as a launchpad: Gaining footholds through MSPs underscores the risk of trusted third parties in the modern attack surface and the importance of monitoring inter-organization access patterns.
Multi-stage persistence: The combination of Brickstorm, Plenet, and AgentPSD across diverse devices indicates a multi-layered strategy to maintain access even if one component is discovered and removed.

Concluding Observations

VerdantBamboo’s campaign showcases a sophisticated, multi-tool approach to cyber-espionage, with a focus on stealth, persistence, and cross-platform capabilities.
The use of both a primary backdoor (Brickstorm) and complementary backdoors (Plenet and AgentPSD) provided redundancy, enabling attackers to sustain access across different network segments and devices.
The integration of compromised MSP pathways with internal networks demonstrates a broader shift where supply chain and service-provider relationships become pivotal to intruder success.
As defenses evolve, understanding the lifecycle of such campaigns—spanning initial access, persistence, lateral movement, and multi-device deployment—remains essential to detecting and mitigating similarly staged attacks in the future.

Chinese APT deploys new malware to keep access to hacked networks

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Get the next deep dive in your inbox

Stay Updated

Chinese APT deploys new malware to keep access to hacked networks

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Get the next deep dive in your inbox

Stay Updated