China’s VerdantBamboo Executes Three Re-Entries and Deploys Multiple Malware in Extended Network Intrusion
In a significant cybersecurity breach, the Chinese state-sponsored threat actor known as VerdantBamboo infiltrated a corporate network for an astonishing 18 months. The entry point for this prolonged intrusion was a managed service provider (MSP) located adjacent to the victim organization. This incident underscores the vulnerabilities inherent in third-party service relationships and highlights the need for robust cybersecurity measures.
Discovery of the Intrusion
The incident response was triggered by unusual outbound connections from a Linux appliance. Researchers from Volexity documented a multi-stage intrusion campaign attributed to VerdantBamboo, also recognized as WARP PANDA and UNC5221 by other cybersecurity vendors. The campaign commenced with a compromised file synchronization appliance and expanded through the breached MSP, culminating in three separate re-entry attempts. Each attempt exploited different infrastructure components that lacked adequate endpoint detection coverage.
A File Sync Box No One Was Watching
In September 2025, Volexity was brought in after a customer detected suspicious outbound traffic from a Linux virtual machine running Egnyte Storage Sync. This software is designed to synchronize on-premise files with cloud storage. Instead of connecting to the legitimate Egnyte infrastructure, the appliance established encrypted TLS connections to a domain controlled by the threat actor, obscured behind Cloudflare IP addresses. Additionally, it was querying Google’s public DNS server via DNS over HTTPS, a technique that disguises DNS lookups as regular HTTPS traffic, effectively bypassing DNS-based network monitoring.
Forensic analysis revealed two backdoors within the appliance. The primary implant was identified as BRICKSTORM, a Golang-based remote access trojan previously documented by CISA, Google Cloud, and NVISO in relation to Ivanti zero-day exploitation campaigns. The secondary implant was a previously undocumented Python reverse shell, dubbed AGENTPSD, which was packaged as a native binary using PyInstaller and configured to execute monthly as a fallback should BRICKSTORM become unavailable. Both backdoors had been present on the system for at least 18 months before their discovery.
VerdantBamboo’s initial foothold was achieved through the appliance’s default service account, accessed via SSH using credentials obtained from the organization’s MSP. A misconfigured sudo rule allowed the attacker to escalate privileges inadvertently, enabling them to install BRICKSTORM and create a cron job for persistent execution. This misconfiguration was later reported to Egnyte, which addressed it in Storage Sync version 13.13.
The MSP Was Already Compromised
As researchers delved deeper into the supply chain of the compromise, they turned their focus to the MSP responsible for managing the victim organization’s systems. The MSP’s pfSense firewall, an open-source firewall running on FreeBSD, had been compromised by multiple threat actors. This included web shells, cryptocurrency miners, and a BRICKSTORM implant disguised as a file named “blacklist” in the IPsec directory. This implant had also been operational for at least 18 months.
Volexity assessed with medium confidence that the victim organization was initially compromised through VerdantBamboo’s prior breach of the MSP. The attacker leveraged MSP-held administrative credentials and infrastructure access as the initial foothold into the primary target’s environment.
Three Evictions, Three Re-entries
The operational persistence demonstrated by VerdantBamboo after initial discovery is particularly noteworthy. Within days of the Storage Sync appliance and SSL VPN being taken offline, the organization’s Synology NAS device began beaconing to the same command-and-control (C2) domain associated with the Storage Sync server.
The re-entry occurred when the MSP retired the SSL VPN device during remediation, inadvertently exposing the organization’s firewall directly to the internet. VerdantBamboo exploited this vulnerability by connecting to the administrative interface using stolen credentials that lacked multi-factor authentication. The attacker configured a new SSL VPN network on the firewall, enabling them to pivot back into the internal network.
From this position, the attacker accessed the Synology NAS via SSH and deployed a third previously undocumented malware family, tracked by Volexity as PLENET. This .NET Core backdoor was compiled to native code using the Native AOT framework introduced in .NET 7, which Google Cloud independently tracked under the name GRIMBOLT.
Researchers also discovered that VerdantBamboo had validated administrative credentials for the organization’s VMware vCenter infrastructure through web-based logins. However, they did not deploy malware on ESXi or vCenter systems during this incident, despite public reports indicating that ESXi persistence is a typical behavior for this group.
The Technique That Made All of This Work
Throughout the operation, VerdantBamboo consistently utilized compromised devices to proxy connections into the victim organization’s Microsoft 365 environment. By routing M365 access through the organization’s own SSL VPN IP address space, the attacker’s logins appeared to originate from trusted internal infrastructure, circumventing Conditional Access policies designed to block external access. These policies in Microsoft Entra ID allow organizations to restrict cloud access by device, location, or network; however, VerdantBamboo rendered these controls ineffective by making its traffic appear internal.
The attack surface exploited by VerdantBamboo included the Egnyte appliance, the pfSense firewall, and the Synology NAS, all of which shared a critical characteristic: none supported endpoint detection and response (EDR) software. BRICKSTORM, PLENET, and AGENTPSD were deployed on infrastructure that remained outside the EDR visibility layer, which is typically considered the primary detection surface by most security teams.
VerdantBamboo did not breach this organization through a zero-day exploit on a managed Windows endpoint. Instead, it exploited blind spots—devices administered via web interface and SSH, lacking agents, behavioral monitoring, and multi-factor authentication on their administrative accounts.
Researchers recommend enforcing multi-factor authentication on all administrative accounts without exception, including those managing firewalls and network appliances. They also advise auditing sudo configurations on Linux appliances for inadvertent privilege escalation paths, ensuring that network appliances are never directly exposed to the internet following remediation, and extending network monitoring coverage to all devices capable of making outbound connections, regardless of EDR agent support.
Source: thecyberexpress.com
Related
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
