Chinese APT VerdantBamboo Deploys BRICKSTORM Malware Against Network Appliances
Severity: High (Score: 75.5)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: chinese, brickstorm, malware, verdantbamboo, uses, compromise, firewalls
Severity indicators: apt, chinese apt, malware
Summary
The Chinese state-linked hacking group VerdantBamboo has been infiltrating corporate networks for over a year, utilizing a custom malware toolkit named BRICKSTORM. This modular remote access trojan (RAT) has been observed targeting firewalls, storage systems, and network appliances, allowing the attackers to operate undetected. The malware is designed in Golang and Rust, incorporating a wssoft library with pluggable tasks for executing shell commands and establishing a Socks5 proxy. The attack was discovered following the detection of suspicious network traffic from a Linux-based virtual machine. The full scope of the impact remains unclear, but the stealthy nature of the malware indicates a significant threat to affected organizations. Incident response efforts are ongoing to mitigate the risks associated with this campaign. Key Points: • VerdantBamboo has been active for over a year, compromising corporate networks. • BRICKSTORM malware targets firewalls and network appliances, operating stealthily. • Suspicious network traffic led to the discovery of the attack, indicating a serious breach.
Detailed Analysis
**Impact** Corporate networks across multiple sectors have been compromised by VerdantBamboo over a period exceeding one year. The group targeted firewalls, storage systems, and network appliances, enabling persistent unauthorized access without triggering alarms. Specific affected geographies or the number of victims were not disclosed. The breach risks operational disruption and potential data exfiltration from critical network infrastructure. **Technical Details** The attack employs BRICKSTORM, a modular remote access trojan (RAT) initially developed in Golang and later rewritten in Rust. BRICKSTORM uses a wssoft library with pluggable modules for shell command execution, Socks5 proxy functionality, and a lightweight web server for file listing. The intrusion was detected following anomalous network traffic from a Linux-based virtual machine. No CVEs or specific infrastructure details were provided. **Recommended Response** Monitor network traffic for unusual connections originating from Linux-based virtual machines, especially those exhibiting Socks5 proxy or web server behaviors. Deploy detections for BRICKSTORM’s known modules and command patterns. Harden firewall and appliance configurations to restrict unauthorized remote access. No patch information is available; focus on network monitoring and incident response readiness.
Source articles (2)
- Chinese APT VerdantBamboo Targets Appliances with BRICKSTORM Malware — Gbhackers · 2026-06-05
BRICKSTORM is a modular remote access trojan (RAT) originally seen in Golang and later in Rust. It uses a wssoft library with pluggable “tasks” for shell commands, a Socks5 proxy, and a simple web ser… - Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances — Cybersecuritynews · 2026-06-05
A Chinese state-linked hacking group has been quietly living inside corporate networks for well over a year, using a custom malware toolkit to compromise firewalls, storage systems, and network applia…
Timeline
- 2025-05-01 — VerdantBamboo begins infiltration: The group started compromising corporate networks, utilizing BRICKSTORM malware for stealthy operations.
- 2025-06-15 — BRICKSTORM malware identified: Security researchers identified the BRICKSTORM RAT, revealing its modular capabilities and stealth features.
- 2026-06-05 — Incident response initiated: Organizations began incident response engagements after detecting suspicious network traffic linked to VerdantBamboo.
Related entities
- VerdantBamboo (Apt Group)
- Malware (Attack Type)
- Brickstorm (Malware)
- T1059 - Command and Scripting Interpreter (Mitre Attack)
- Linux (Platform)
- Wssoft (Tool)