Chinese APT UNC5221 Deploys New Malware to Maintain Persistent Access in Microsoft 365 Environments

A sophisticated Chinese espionage group, identified as UNC5221 and also tracked as VerdantBamboo, has been discovered maintaining persistent access within compromised Microsoft 365 environments. The threat actor employs a multi-stage approach, utilizing the advanced Brickstorm backdoor and two previously undocumented malware strains, Plenet and AgentPSD, to achieve its espionage objectives. This discovery highlights the ongoing and evolving threat posed by state-sponsored actors targeting cloud infrastructure.

Investigations revealed that UNC5221 had infiltrated the victim network at least 18 months prior to detection, a timeline that also extended to the compromise of the victim's managed services provider (MSP). This prolonged presence allowed the group to deeply embed itself within the target's infrastructure. UNC5221 has been active since at least 2023, known for exploiting zero-day vulnerabilities in edge devices, and has previously been linked to attacks on various sectors including legal services, SaaS providers, and technology companies.

The Brickstorm backdoor, described as an "advanced malware implant," has been a key tool for UNC5221. Initial variants were developed in Golang, with later versions emerging in Rust. Google has documented UNC5221's use of this backdoor on multiple occasions, noting its deployment against VMware vSphere servers and Dell RecoverPoint for Virtual Machines. CISA has also issued warnings regarding its use by Chinese hackers.

In one notable incident, researchers from Volexity observed VerdantBamboo compromising an Egnyte Storage Sync system and accessing it via the victim's web SSL VPN. Using Brickstorm's proxying capabilities and stolen credentials, the attackers gained access to the organization's Microsoft 365 environment. Volexity assessed that this method was likely chosen to blend in with legitimate network traffic and bypass security controls like Conditional Access policies.

Compounding the breach, VerdantBamboo managed to re-compromise the victim's network even after remediation efforts were completed. In this second intrusion, the attackers exploited stolen credentials to re-establish SSL VPN access on the victim's firewall, subsequently deploying custom malware, Plenet, to a Synology NAS appliance. This second compromise also extended to the victim's MSP, where a BSD variant of Brickstorm was found on a pfSense firewall, indicating the attackers had compromised the MSP's infrastructure at least 18 months prior.

Plenet, also known as "Grimbolt," is a cross-platform .NET-based backdoor offering extensive capabilities, including interactive shell access, remote command execution, file manipulation, and dynamic command-and-control (C2) server switching. Researchers noted its design similarities to Brickstorm, particularly its use of the WebSocket protocol for C2 communications and a multiplexing library for efficient data transfer.

AgentPSD, a simpler Python-based reverse shell, was likely deployed as a fallback persistence mechanism. While configured to communicate with a different C2 domain than Brickstorm, it was never actively used, suggesting it was a secondary option should the primary malware become inaccessible. The threat actor's infrastructure, identified through C2 communication patterns, was quickly taken offline by the attackers, possibly in response to increased scrutiny following Google's concurrent report on Brickstorm activity.

Volexity characterizes VerdantBamboo/UNC5221 as a highly sophisticated threat actor adept at blending living-off-the-land techniques with custom malware. Their targets often include systems lacking robust endpoint detection and response (EDR) solutions, allowing for stealthier operations. The group's persistent focus on espionage and their ability to maintain long-term access underscore the critical need for continuous monitoring and advanced threat detection capabilities within cloud environments.