Skip to content

Chinese Espionage Group Deploys New Malware to Maintain Access to Hacked Networks

A highly sophisticated threat actor, tracked as UNC5221 and also known as VerdantBamboo, has been deploying new malware to maintain access to hacked networks. The group has been using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD to gain persistent access to Microsoft 365 environments of various targets in the United States.

The threat actor gained access to the victim network at least 18 months before detection, and had also compromised the victim organization’s managed services provider (MSP). UNC5221 is also involved in attacks that exploited zero-day vulnerabilities in edge devices since at least 2023. The group used the Brickstorm backdoor undetected in the environments of various targets for more than a year until the breaches were discovered around March 2025.

Researchers describe Brickstorm as ‘an advanced malware implant.’ Initial variants were written in Golang, then new variants emerged, written in Rust. In April 2024, Google documented UNC5221 activity using the backdoor, and then again in September 2025, describing attacks against legal services, software-as-a-service providers, business process outsourcers, and technology companies.

CISA warned about Brickstorm being deployed by Chinese hackers against VMware vSphere servers, and, more recently, Google reported that it was deployed by UNC6201 against Dell RecoverPoint for Virtual Machines. Volexity researchers responding to an incident last year found that VerdantBamboo compromised an Egnyte Storage Sync system and accessed it periodically through the victim’s web SSL VPN.

### Malware Deployment

The threat actor used Brickstorm proxying features and stolen credentials to access the organization’s Microsoft 365 environment. ‘Volexity assesses with high confidence that this was done to blend in with legitimate network traffic and evade Conditional Access policies that would have otherwise prevented access,’ the researchers said.

Later, Volexity discovered that the hackers had spent at least 18 months on the network before being detected. Furthermore, VerdantBamboo breached the organization again after the researchers completed the remediation efforts. In the second intrusion, the attackers used stolen credentials to enable and configure SSL VPN access on the victim’s firewall, then connected to internal systems and deployed additional custom malware to a Synology NAS device.

This triggered an investigation at the customer’s MSP, where Volexity found that VerdantBamboo had planted a BSD variant of Brickstorm on a pfSense firewall. ‘Volexity concluded that this firewall, like the victim organization’s Storage Sync system, had also been compromised at least 18 months earlier.’ The researchers have medium confidence that the attacker pivoted from the MSP into the victim organization’s environment.

### New Malware: Plenet and AgentPSD

Brickstorm was then deployed to the victim’s Egnyte Storage Sync appliance and to a retired Linux GroupWise email archive server. Once the attackers returned a few days later and re-established access to the victim’s infrastructure, they deployed the custom malware Plenet to a Synology NAS appliance.

Plenet, also tracked as ‘Grimbolt’ by Google, is a cross-platform .NET-based backdoor that offers interactive shell access, remote command execution, file manipulation, and command-and-control (C2) server switching. The researchers note that Plenet is similar in design to Brickstorm, using the WebSocket protocol for C2 communications and a multiplexing library for simultaneous data streams to the server.

AgentPSD is a simple Python-based reverse shell utility that Volexity believes VerdantBamboo used as a fallback persistence mechanism if other malware was no longer accessible. The researchers discovered that AgentPSD was configured to connect to a different domain than the one Brickstorm used. However, the malware was never used as Brickstorm was still running, which supports the assessment that AgentPSD was a secondary access mechanism.

### Investigation and Infrastructure

During the investigation, Volexity tried to discover the infrastructure related to VerdantBamboo. The researchers created a fingerprint to identify IP addresses and domains Brickstorm used for C2 communication. Although multiple machines were identified, the threat actor took the infrastructure offline before the researchers could reveal other systems.

‘Between September 18 and September 23, all of the servers previously matching this pattern turned off their services on port 443.’ Around that time, Google also published a new report on Brickstorm’s activity, which may suggest that the attacker was aware of their operations being under investigation.

Volexity’s describes VerdantBamboo/UNC5221 as ‘a highly sophisticated threat actor’ that mixes living-off-the-land techniques and malware and targets systems that do not support endpoint detection and response (EDR) solutions. The researchers compiled a list of indicators of compromise (IOCs) linked to the investigated UNC5221 campaign and published them here.

### Conclusion

The incident highlights the importance of maintaining robust security measures, including regular monitoring and patching of systems, as well as implementing Conditional Access policies to prevent unauthorized access.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *