Chinese APT VerdantBamboo used BRICKSTORM malware to hide on firewalls and storage appliances
6 min. read 
Published on
A China-linked hacking group tracked as VerdantBamboo used BRICKSTORM malware to maintain long-term access inside corporate networks by targeting systems that often sit outside normal endpoint security coverage.
The intrusion, detailed by Volexity, began as an investigation into unusual network traffic from a Linux-based virtual appliance. Analysts later found a wider campaign involving a compromised storage sync system, a managed services provider, a firewall, and a NAS device.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Volexity says VerdantBamboo, also known as WARP PANDA and UNC5221, had access to parts of the environment for at least 18 months. The case shows how attackers can use firewalls, storage systems, and other appliances as stealthy footholds when those devices lack EDR coverage.
How the VerdantBamboo intrusion was discovered
The first suspicious signal came from an Egnyte Storage Sync appliance. Storage Sync is designed to sync on-premises files with Egnyte’s cloud service, but the appliance was reaching out to a domain controlled by the attackers instead of expected Egnyte infrastructure.
The malware also contacted Google’s public DNS server at 8.8.8.8, apparently using DNS over HTTPS to resolve attacker-controlled infrastructure. That tactic helped the traffic blend into normal encrypted outbound network activity.
Further analysis showed that VerdantBamboo used BRICKSTORM to proxy traffic and access the victim’s Microsoft 365 environment with compromised credentials. The attackers used that access path to appear as if they were coming from trusted parts of the victim’s own network.
The MSP compromise made the attack harder to remove
The incident did not stop with the victim’s appliance. Volexity later found that the victim’s managed services provider had also been compromised. The MSP’s pfSense firewall contained a FreeBSD-compatible BRICKSTORM variant, which helped explain how VerdantBamboo may have reached the victim environment.
After the initial cleanup, the attackers returned. They used stolen administrative credentials to access the victim’s exposed firewall, configured a web-based SSL VPN, and used that new tunnel to move back into the network.
The attackers then deployed PLENET, a previously undocumented backdoor, to a Synology NAS device. This second entry path showed that removing one compromised appliance did not fully remove the threat when credentials and exposed management interfaces remained available.
Why BRICKSTORM is useful for appliance attacks
BRICKSTORM is built for quiet, long-term access. The malware has appeared in Golang and Rust variants, and its modular design lets operators tailor each sample for the target system.
The Volexity report says BRICKSTORM uses a task-based architecture with functions for command execution, SOCKS proxying, and file browsing. Those capabilities let attackers use a compromised appliance as a hidden bridge into the rest of the network.
The case matches earlier reporting from the Google Threat Intelligence Group, which warned that BRICKSTORM operators focus on appliances that do not support traditional endpoint detection tools. Google’s Mandiant team said similar intrusions had an average dwell time of 393 days.
| Malware | Role in the campaign | Notable details |
|---|---|---|
| BRICKSTORM | Main backdoor for persistence and proxy access | Used on the Egnyte appliance and the MSP’s pfSense firewall |
| PLENET | Backdoor deployed after the attackers returned | Found on a Synology NAS and built with .NET Native AOT |
| AGENTPSD | Fallback reverse shell | Python-based utility packaged as a native Linux binary |
Appliances remain a weak point for many defenders
Firewalls, VPN systems, storage sync platforms, NAS devices, and virtualization appliances often hold privileged network positions. They also tend to receive less monitoring than workstations and servers.
That gap gives attackers a useful hiding place. A compromised appliance can route traffic, collect credentials, and provide remote access while creating little forensic evidence for security teams that rely mainly on endpoint agents.
Mandiant recommends that organizations build a complete inventory of appliances, including devices that teams forgot to decommission. It also recommends hunting for outbound traffic from appliance management interfaces to domains or IP addresses that do not belong to the vendor.
Egnyte users should update and review appliance exposure
Egnyte’s public download page now lists Storage Sync 13.13 for VMware and Hyper-V. Organizations using older Storage Sync systems should review their deployment status and confirm that appliances run supported versions.
Egnyte guidance also recommends keeping Storage Sync devices updated, limiting software additions, restricting exposed services, and controlling outbound traffic to required domains and ports.
Admins should pay special attention to SSH access, sudo permissions, cron entries, and firewall rules. Volexity found that VerdantBamboo used a misconfigured sudo rule on the Egnyte appliance to gain elevated privileges and place BRICKSTORM in a protected system directory.
What organizations should check now
Security teams should treat appliance monitoring as a priority, especially for systems connected to identity services, cloud storage, VPN access, and internal file shares.
- Review exposed firewall, VPN, NAS, storage sync, and virtualization management interfaces.
- Require MFA for administrative access to all edge and appliance consoles.
- Audit local and domain credentials used by MSPs and third-party administrators.
- Inspect unusual outbound HTTPS and DNS over HTTPS traffic from appliances.
- Review cron jobs, startup scripts, unknown binaries, and unexpected SSH access.
- Compare appliance traffic against vendor-owned domains and normal update behavior.
- Apply Egnyte’s security recommendations for Storage Sync systems.
The VerdantBamboo campaign shows that attackers do not need to compromise every workstation to stay inside a network. One overlooked appliance, one exposed admin interface, or one stolen MSP credential can provide enough access for a long-running espionage operation.
For defenders, the lesson is clear. Edge devices and storage appliances need the same level of inventory, access control, patching, and traffic monitoring as traditional endpoints.
FAQ
VerdantBamboo is a China-linked threat group tracked by Volexity. It is also associated with the names WARP PANDA and UNC5221 in public reporting.
BRICKSTORM is a backdoor used for long-term access, command execution, proxying, and file browsing on compromised systems. It is often used on appliances that lack traditional endpoint monitoring.
They often sit in privileged network locations, handle trusted traffic, and may not support EDR tools. This makes them useful places for attackers to hide and route traffic.
They should check that Storage Sync runs a supported version, review SSH and sudo access, restrict outbound traffic, audit cron entries, and follow Egnyte’s hardening guidance.
Teams should review appliance inventories, inspect outbound traffic from management interfaces, look for unknown binaries and persistence mechanisms, and monitor unusual DNS over HTTPS activity from appliances.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages