Emerging ThreatsMalware & Ransomware

VerdantBamboo Targets Linux Systems with Customized Malware Arsenal

Analyst 207||Source: TheHackerNews
Server equipment sits on a rack in a data center with cables and networking gear surrounding it.

The initial compromise occurred at least 18 months before investigators discovered it — a delay that let the intruder move from an Egnyte appliance into the victim's Microsoft 365 environment and return after an initial cleanup.

How Volexity tracked VerdantBamboo into Linux and BSD appliances

Volexity attributed the activity to a threat cluster it tracks as VerdantBamboo, saying the cluster overlaps with groups Microsoft calls Clay Typhoon, Google calls UNC5221, and CrowdStrike calls Warp Panda. The company discovered the intrusion during an incident response engagement in September 2025, when it found the adversary had compromised an unnamed victim's Egnyte Storage Sync system by exploiting a local privilege escalation flaw and deploying a BSD variant of a known backdoor called BRICKSTORM.

Researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster wrote that, "The appliance had periodically been accessed by VerdantBamboo via IP addresses assigned through the victim organization's web SSL VPN," and that the actor "used the malware's proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim's Microsoft 365 (M365) environment." Volexity assessed those steps were intended to blend with legitimate traffic and evade Conditional Access policies.

Malware families found: BRICKSTORM, PLENET (aka GRIMBOLT), and AGENTPSD

Volexity documented three distinct malware families used in the operation. A BSD variant of BRICKSTORM — identified on both the Egnyte appliance and on an MSP's pfSense firewall — was a core implant. The actor also deployed PLENET (aka GRIMBOLT), described as a cross-platform backdoor developed in .NET Core, and a new BRICKSTORM build compiled using native ahead-of-time (AOT) compilation. PLENET supports interactive shell, remote command execution, file manipulation, and C2 server switching.

The third tool, AGENTPSD, is a Python-based reverse shell that Volexity says likely functions as a fallback if the primary implant stops working.

Volexity further noted that PLENET had been reported in the wild earlier: Google reported PLENET in February 2026 in connection with activity by a suspected China‑nexus cluster dubbed UNC6201 that exploited Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024.

Initial Vector, remediation, and the appliance patch

The initial Egnyte compromise stemmed from a local privilege escalation vulnerability in the Storage Sync appliance; Egnyte addressed the issue in Storage Sync version 13.13, released in March 2026. Volexity's timeline places the intrusion discovery in September 2025, and the company reports the adversary had used Storage Sync's proxying capabilities combined with stolen credentials to reach cloud resources.

MSP compromise, firewall infection, and Synology follow-on activity

Further investigation found VerdantBamboo had also compromised the victim organization's Managed Services Provider. Volexity says the actor infected the MSP's pfSense firewall with the BSD BRICKSTORM variant around the same time the victim's Storage Sync system was breached, and that the victim was likely compromised through that MSP breach.

After initial remediation, the actor staged a return: using stolen administrative credentials to connect to the firewall, configuring web SSL VPN access to the device, moving to other systems, and deploying additional malware to a Synology Network Attached Storage appliance over SSH.

What this means for MSPs, enterprise defenders, and appliance vendors

  • MSPs: the incident shows how compromise of provider infrastructure — here, a pfSense firewall — can be leveraged to reach multiple customers; the timeline in Volexity's report ties the MSP infection to victim compromise.
  • Enterprise defenders: the actor's use of appliance proxying and stolen credentials to access Microsoft 365 and evade Conditional Access highlights the need to monitor web SSL VPN access and unexpected proxy chains tied to cloud logins.
  • Appliance vendors (Egnyte, Synology and similar): Volexity notes VerdantBamboo targets systems that "traditionally do not or cannot run EDR software," and that the actor "appears to have good knowledge of proprietary appliances, allowing them to deploy malware with customized persistence mechanisms." Timely patching — Egnyte's Storage Sync v13.13 in March 2026 — is central to remediation.

Volexity concluded that "VerdantBamboo is a highly sophisticated threat actor that seeks to leverage a combination of living‑off‑the‑land techniques and malware deployment on systems that traditionally do not or cannot run EDR software," and that the group demonstrates operational discipline by using a limited number of domains and IP addresses per victim and by setting up customized implant naming and persistence per device. The intrusion timeline — an initial compromise discovered in September 2025, a patch in March 2026, and a successful return using stolen credentials — underscores that appliance and MSP compromises can produce long-lived access and that remediation does not always end an operation.

Read Volexity's findings as reported by The Hacker News: https://thehackernews.com/2026/06/verdantbamboo-deploys-bsd-variant-of.html

Emerging ThreatsLinuxMicrosoft 365Nation-StateThreat IntelligenceMalware OperationsLinux MalwareVerdantbambooCustomized MalwareEgnyte
Related Intelligence

Continue Reading

Smartphone with blank screen on a neutral table in a quiet room.

Meta Accuses NSO Group of Breaching WhatsApp Injunction

Meta is taking a stand against NSO Group, accusing the Israeli spyware vendor of breaching a WhatsApp injunction by targeting users with social engineering attempts. The company claims it successfully thwarted these malicious efforts, but is now asking a federal judge to hold NSO Group in contempt.

Analyst 207
University office with computer on desk, blurred to highlight background.

Oxford University Exposes Data Breach After Career Platform Hack

The University of Oxford recently alerted users to a data breach on its CareerConnect platform, which occurred on May 28 when attackers gained access to sensitive information, including names, email addresses, and encrypted passwords. To protect users, locally set passwords have been invalidated and affected users will be prompted to reset their passwords upon next login.

Analyst 207
Smartphone with Instagram login screen on display, set against a blurred cityscape background.

Meta AI Flaw Compromises 20,000 Instagram Accounts

A bug in Meta's AI-powered support feature, High Touch Support, allowed outsiders to access nearly 20,000 Instagram accounts by exploiting a flaw that failed to verify email addresses for password reset requests. This oversight enabled hackers to bypass security checks and gain unauthorized account access.

Analyst 207
Brightly-lit office setting with phone on desk, blurred background, and corporate elements.

Threat Actors Exploit Vishing, Physical Intrusions in US Data Extortion Campaign

Meet UNC3753, a notorious group of threat actors using clever voice phishing and social engineering tactics to infiltrate US corporate environments and steal sensitive data. Their deceitfully simple attacks start with a phone call or email and quickly escalate into rapid data theft and ransom demands.

Analyst 207