Back

VerdantBamboo's 18-Month Cyber Campaign Targets Managed Service Providers

Severity: High (Score: 75.5)

Sources: www.volexity.com, Thecyberexpress

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: verdantbamboo, network, china, incident, response, suspicious, just

Severity indicators: ot

Summary

A Chinese threat actor known as VerdantBamboo compromised a company's network through a managed service provider (MSP) over 18 months. The initial breach involved a Linux-based Egnyte Storage Sync appliance, which was misconfigured and allowed unauthorized access via stolen credentials. The attacker used a malware implant called BRICKSTORM, along with a secondary Python reverse shell named AGENTPSD, to maintain persistence. Following the initial detection, VerdantBamboo executed multiple re-entry attempts exploiting different infrastructure weaknesses. The campaign highlights significant vulnerabilities in endpoint detection and response capabilities. Volexity's investigation revealed that the threat actor had previously compromised the MSP's firewall, indicating a broader supply chain attack. The incident underscores the need for improved security measures in managed services. The situation remains critical as VerdantBamboo continues to pose a threat. Key Points: • VerdantBamboo exploited a misconfigured Egnyte Storage Sync appliance to gain access. • The attack involved a sophisticated multi-stage intrusion with a primary malware implant, BRICKSTORM. • The threat actor successfully re-entered the network multiple times after initial detection.

Detailed Analysis

**Impact** The campaign targeted a managed service provider (MSP) and at least one of its client organizations, affecting their network infrastructure and cloud synchronization systems. The intrusion persisted for at least 18 months, enabling access to Microsoft 365 environments and internal systems, including firewalls and NAS appliances. The sectors affected include IT service providers and their customers, with the geographic focus implied to be primarily in the United States. Data at risk includes archived emails, cloud-synced files, and administrative credentials. **Technical Details** Initial access was gained via compromised credentials from the MSP, exploiting a misconfigured sudo rule on an Egnyte Storage Sync Linux appliance to escalate privileges and install the BRICKSTORM backdoor. VerdantBamboo used TLS connections to threat-actor-controlled domains behind Cloudflare and DNS over HTTPS via Google’s 8.8.8.8 server to evade detection. Additional malware included AGENTPSD, a Python reverse shell, and PLENET, both previously undocumented. The MSP’s pfSense firewall was compromised with a BSD variant of BRICKSTORM, persisting through modified cron jobs and disguised files. The attacker maintained persistence through multiple re-entry attempts and exploited VPN configurations for lateral movement. **Recommended Response** Apply the Egnyte Storage Sync patch v13.13 to remediate the sudo misconfiguration. Harden VPN and firewall configurations, especially pfSense deployments, and monitor for unusual TLS connections to Cloudflare IPs and DNS over HTTPS queries to public DNS servers. Deploy detections for BRICKSTORM and related malware families, including monitoring cron jobs and suspicious binaries like “blacklist” in IPsec directories. Prioritize credential hygiene and conditional access policy enforcement to prevent lateral movement using stolen credentials.

Source articles (2)

  • China’s VerdantBamboo Experimented With Three Re — Thecyberexpress · 2026-06-05
    China's VerdantBamboo spent 18 months inside a company's network. The entry point was the managed service provider door. The incident response started with a suspicious connection from a Linux applian…
  • Verdantbamboo Just Another Brickstorm In The Firewall — www.volexity.com · 2026-06-05
    In September 2025, Volexity conducted an incident response engagement that began after suspicious network traffic was observed from a Linux-based virtual machine appliance on a customer’s network. The…

Timeline

  • 2025-09-01 — Initial compromise detected: Volexity responded to suspicious traffic from an Egnyte Storage Sync appliance, revealing unauthorized connections.
  • 2025-09-01 — Malware implants identified: Forensic analysis revealed BRICKSTORM and AGENTPSD were installed on the compromised appliance.
  • 2025-09-01 — MSP compromise confirmed: Investigation showed that VerdantBamboo had previously compromised the victim's managed service provider.
  • 2026-06-04 — Incident response published: Volexity released findings on the 18-month campaign, detailing the attack vectors and persistence methods used by VerdantBamboo.
  • 2026-06-04 — Security measures recommended: Volexity advised organizations to enhance endpoint detection and response capabilities to prevent similar attacks.

Related entities

  • Unc5221 (Apt Group)
  • VerdantBamboo (Apt Group)
  • Warp Panda (Apt Group)
  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • China (Country)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • agentpsd.it (Domain)
  • Agentpsd (Malware)
  • Brickstorm (Malware)
  • Grimbolt (Malware)
  • Plenet (Malware)
  • T1021 - Remote Services (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059.006 - Python (Mitre Attack)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1133 - External Remote Services (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • Egnyte Storage Sync (Platform)
  • ESXi (Platform)
  • FreeBSD (Platform)
  • GroupWise (Platform)
  • Linux (Platform)
  • Microsoft 365 (Platform)
  • PfSense (Platform)
  • Synology NAS (Platform)
  • VMware ESXi (Platform)
  • VMware vCenter (Platform)
  • E28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0 (Sha256)
  • PyInstaller (Tool)
  • SSH (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed