VerdantBamboo uses BSD BRICKSTORM to breach MSPs, NAS

Volexity discovered the intrusion during an incident response engagement in September 2025 and traced the initial breach to an Egnyte Storage Sync appliance that attackers exploited using a local privilege escalation flaw. Egnyte fixed the flaw in Storage Sync version 13.13, released in March 2026. Volexity assessed the initial compromise began at least 18 months earlier.

Attackers used the appliance’s proxying feature along with stolen credentials to route activity into the victim’s Microsoft 365 environment. Volexity found the proxying and stolen credentials were combined to blend malicious activity with legitimate traffic and bypass Conditional Access controls.

After the organization carried out remediation, the actor returned by using administrative credentials to log into the customer’s firewall. The actor configured web SSL VPN access on the device, moved laterally to other systems and maintained access.

Further investigation showed the group’s access extended to a Managed Services Provider. The MSP’s pfSense firewall was infected with a BSD-compiled variant of the BRICKSTORM backdoor around the same time the Storage Sync system was breached. Volexity traced access paths that linked the compromised MSP to the downstream victim.

The actor pushed additional malware to a Synology NAS over SSH. One implant, PLENET (also called GRIMBOLT), is a cross-platform backdoor written in .NET Core and observed compiled with native ahead-of-time techniques. PLENET provides an interactive shell, remote command execution, file manipulation, and the ability to switch command-and-control servers. The other implant, AGENTPSD, is a Python-based reverse shell likely used as a fallback.

Volexity attributed the campaign to a cluster it tracks as VerdantBamboo and noted overlaps with groups tracked as Clay Typhoon, UNC5221 and Warp Panda. The report links PLENET activity to earlier attacks this year in which another cluster exploited a high-severity Dell RecoverPoint for Virtual Machines vulnerability, CVE-2026-22769.

Researchers observed disciplined operational behavior, including use of a small set of domains and IP addresses per victim and customized implant names and persistence methods on a per-device basis.

In its report Volexity wrote: “VerdantBamboo is a highly sophisticated threat actor that seeks to leverage a combination of living-off-the-land techniques and malware deployment on systems that traditionally do not or cannot run EDR software.” The researchers added that the group demonstrated detailed knowledge of proprietary appliances and deployed customized persistence mechanisms.

Volexity noted the campaign highlights risks tied to appliance and MSP compromises, where attackers can use device features and stolen credentials to maintain access and move between client environments.