Key point: VerdantBamboo strategically exploits Linux appliances in under-protected network positions as an access bridge to compromise high-value targets and bypass network security mechanisms.
The Chinese cyber-espionage group VerdantBamboo has strategically compromised Linux-based storage and network devices to penetrate Microsoft 365 environments. The attackers infiltrated customers through a Managed Services Provider and concealed their activities as legitimate network traffic.
The attacks by VerdantBamboo (also known as Clay Typhoon, UNC5221, and Warp Panda), documented by Volexity, target Linux-based network devices. Initial access was gained via a Managed Services Provider whose pfSense firewall was infected with a FreeBSD-compatible variant of BRICKSTORM malware. From there, the attackers infiltrated the victim network. The initial infection of the target company was discovered in September 2025 during incident response; however, the original access dated back at least 18 months.
The operational chain leveraged a privilege escalation vulnerability on an Egnyte Storage Sync system to install the BRICKSTORM backdoor. This flaw was closed by the vendor only in March 2026 with version 13.13. After remediation efforts, VerdantBamboo re-infiltrated using stolen administrative credentials, this time via the firewall. The attackers configured persistent web SSL-VPN access and deployed additional malware to a Synology NAS system.
For CISOs, the operational approach is central: VerdantBamboo abused the VPN proxy functions of the storage system in combination with compromised credentials to access the Microsoft 365 environment while bypassing conditional access rules. The traffic was disguised as legitimate internal traffic.
The malware landscape employed includes PLENET (also called GRIMBOLT) — a .NET Core-based backdoor with AOT compilation supporting interactive shells and command execution — as well as AGENTPSD, a Python-based reverse shell as a fallback mechanism. PLENET was already documented by Google in February 2026 in association with the group UNC6201, which has exploited a critical Dell RecoverPoint vulnerability since mid-2024.
VerdantBamboo operates with high discipline: the group uses custom persistence mechanisms on endpoints without EDR coverage, actively limits the number of domains and IP addresses used per victim, and strategically selects targets from the supply chain. The attack underscores the criticality of vulnerability management for Linux appliances and monitoring of Managed Service Provider access.
Source: www.it-daily.net · Published June 11, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.