VerdantBamboo: Just Another BRICKSTORM in the Firewall

June 8, 2026, 8:54 a.m.

Description

Chinese threat actor VerdantBamboo compromised a victim organization and its Managed Services Provider over an 18-month period, deploying malware on network edge devices lacking EDR coverage. The initial breach involved an Egnyte Storage Sync system, where attackers exploited a sudo misconfiguration for privilege escalation and installed BRICKSTORM backdoor and AGENTPSD fallback implant. Investigation revealed the MSP's pfSense firewall was also compromised with a FreeBSD variant of BRICKSTORM. After remediation, VerdantBamboo regained access through stolen firewall credentials, enabling custom VPN access and deploying PLENET backdoor on a Synology NAS. The threat actor leveraged compromised systems as proxies to access Microsoft 365 environments while evading security controls. VerdantBamboo demonstrated operational discipline by targeting appliances without EDR capabilities and using sophisticated malware including PLENET, compiled with .NET Native AOT to hinder analysis.

External References

https://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/
https://otx.alienvault.com/pulse/6a2310765ec1df9836ee072f
Tags
brickstorm
2026-06-05
verdantbamboo

Date

  • Created: June 5, 2026, 6:07 p.m.
  • Published: June 5, 2026, 6:07 p.m.
  • Modified: June 8, 2026, 8:54 a.m.

Indicators

  • e28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0
  • 42692bd13333623e9085d0c1326574a3391efcbf18158bb04972103c9ee4a3b8
  • dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591
  • aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
  • 40d264cf9c73923932c3dfd52d20f46ff602be3fea8dc6ecc71aca46e6067bf5
  • eb141a43958802727a6c813452450c10b92704bea4474ee5fd87c0a1be326e2e
  • 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
  • 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830
  • b42159d68ba58d7857c091b5acc59e30e50a854b15f7ce04b61ff6c11cdf0156
  • 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a
  • ee41e06ed96182ce80cd4544a6abd5d7719c4a5c0e5ddb266a83842d39b99b0a
  • 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
  • f06457d2be0840faac9f0a91e63e33f932bf82922b25ac8c046fab38bb1e0b36
  • 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
  • f70abe93112637d3ec2f6c5e058ccac0307ebf63e496f38588cbfc17a8f8a264
  • e981fc4eaaa6417e6034e21438e55c0360773674a6fc0b63c1b95026449e5254
  • 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759
  • 5.223.58.4
  • 192.3.30.159
  • 159.223.77.60
  • 5.223.68.181
  • 5.223.49.77
  • 104.253.1.46
  • 5.223.42.12
  • 66.59.196.250
  • 173.254.201.16
  • 172.245.5.22
  • 107.175.235.196
  • 170.187.181.243
  • 144.202.50.151
  • 149.248.11.71
  • www.natsupport.net
Download all indicators here!

Attack Patterns

  • PLENET
  • AGENTPSD
  • BRICKSTORM
  • VerdantBamboo

Additional Informations

  • bititer.org
  • devs.calixcloudinfo.com
  • service.systemsvcs.com
  • calixcloudinfo.com
  • winfoacacorp.com
  • faoith.com
  • kitfloor.org
  • barannclinic.com
  • natsupport.net
  • systemsvcs.com
  • performanceviewtools.com
  • fiveworkscorp.com