VerdantBamboo Actor Leverages BRICKSTORM Malware in Long-Term Compromise of MSP and Customer
Volexity details how the VerdantBamboo (WARP PANDA) threat actor maintained a persistent presence for at least 18 months, exploiting a customer's Egnyte Storage Sync appliance and an MSP's pfSense firewall using BRICKSTORM malware.
Volexity has uncovered a sophisticated and long-term cyberespionage campaign orchestrated by the threat actor tracked as VerdantBamboo, also known as WARP PANDA or UNC5221. The campaign, which has been ongoing for at least 18 months, involved the compromise of a customer's Egnyte Storage Sync appliance and, critically, a pfSense firewall belonging to the customer's Managed Services Provider (MSP).
The initial discovery occurred in September 2025 when suspicious network traffic was observed originating from a Linux-based Egnyte Storage Sync virtual machine. Volexity's investigation revealed that this appliance was communicating with a threat-actor-controlled domain, masked behind Cloudflare IP addresses, and was utilizing DNS over HTTPS (DoH) to obscure its activities. Further analysis confirmed the presence of the BRICKSTORM malware, a known backdoor, on the compromised system. VerdantBamboo leveraged BRICKSTORM's proxying capabilities and stolen credentials to access the victim's Microsoft 365 environment, aiming to blend in with legitimate traffic and bypass security controls.
The timeline of the compromise extended significantly beyond the initial discovery. Volexity found evidence that the initial breach had occurred at least 18 months prior to the engagement. Even after remediation efforts, VerdantBamboo managed to regain access by exploiting stolen administrative credentials to compromise the victim's firewall. This access was then used to re-enable web SSL VPN access, facilitating further internal network access and the deployment of additional custom malware onto a Synology NAS appliance.
A crucial element of VerdantBamboo's operation was the compromise of the victim organization's MSP. Working in conjunction with the MSP, Volexity identified malicious traffic emanating from the MSP's network. The investigation revealed that the MSP's pfSense firewall had also been compromised with a BSD variant of BRICKSTORM, likely serving as the initial entry point into the customer's environment. This suggests a sophisticated supply chain attack vector, where the MSP's infrastructure was used as a pivot point.
Forensic analysis of both the Egnyte Storage Sync system and the pfSense firewall yielded multiple samples of the BRICKSTORM backdoor. A BRICKSTORM sample was even found on a legacy Linux-based GroupWise server, indicating the actor's persistence and broad reach within the victim's network, even on systems that were no longer actively in use but still accessible.
Beyond BRICKSTORM, VerdantBamboo deployed two previously undocumented malware families. PLENET, a .NET Core malware compiled to native code, was observed targeting Linux systems and has been referred to as "GRIMBOLT" by Google Cloud. The second new family, AGENTPSD, is a Python-based malware compiled into a binary using PyInstaller, designed to act as a fallback mechanism if the primary backdoor failed.
The attack chain involved initial compromise via SSH using a default Egnyte service account, with credentials likely obtained from the MSP. The threat actor then deployed AGENTPSD and BRICKSTORM. The use of the victim's SSL VPN for SSH connections further aided in obfuscating the malicious activity. The discovery of VerdantBamboo's ability to write to root-level directories on the Egnyte system pointed to exploitation of sudo misconfigurations.
This extensive campaign highlights VerdantBamboo's advanced capabilities, including long-term persistence, supply chain compromise, and the development and deployment of custom malware. The actor's ability to maintain access for over 18 months and pivot between different systems and organizations underscores the persistent threat posed by sophisticated nation-state or financially motivated actors.