VerdantBamboo's BRICKSTORM Backdoor: BSD Variants, Ghost NICs, and 18-Month Dwell Times Across Network Appliances

VerdantBamboo Has Been Living in Your Firewalls for 18 Months

A PRC-linked threat actor has been sitting inside network appliances, firewalls, and storage systems across government and IT sector organizations since at least April 2024 [3]. VerdantBamboo, tracked by multiple vendors as UNC5221 (Google), Clay Typhoon (Microsoft), and Warp Panda (CrowdStrike) [2], deployed FreeBSD-compatible variants of their BRICKSTORM backdoor on devices that most security teams never put an agent on. CISA confirmed analysis of 12 BRICKSTORM samples recovered from victim environments, with the malware updated at least three times between December 2025 and February 2026 [3].

Volexity discovered the campaign during incident response in September 2025 [1]. The findings are worse than a single compromised host. VerdantBamboo compromised a managed service provider (MSP) and used that access to reach downstream victims, maintaining persistent access for approximately 18 months before anyone noticed [1]. The actor deployed purpose-built malware variants for each target platform, including two entirely new malware families: PLENET (a .NET Core backdoor compiled with Native AOT) and AGENTPSD (a Python-based reverse shell fallback) [1].

The Actor: VerdantBamboo's Track Record

VerdantBamboo has been involved in zero-day exploitation since at least 2023 [5]. The group targets legal services, SaaS providers, business process outsourcers, and technology companies, with CISA specifically noting Government Services and Information Technology as primary target sectors [3]. Their operational pattern centers on compromising edge infrastructure, the devices sitting between networks that rarely get the same security scrutiny as endpoints.

Google Cloud's threat intelligence team has separately tracked a cluster they call UNC6201, which exploited CVE-2026-22769, a zero-day in Dell RecoverPoint for Virtual Machines, since mid-2024 [4]. That cluster deployed GRIMBOLT, the same malware Volexity tracks as PLENET [1][4]. The convergence of reporting across Volexity, Google, and CISA paints a picture of a well-resourced actor running parallel campaigns against different appliance types, all with the same strategic goal: long-term, stealthy access to network infrastructure.

BRICKSTORM: From Go to Rust, From Linux to BSD

BRICKSTORM started as a Go-based ELF backdoor targeting VMware vSphere and Linux environments [3]. The actor has since rewritten portions in Rust [5], and Volexity's latest findings confirm a BSD-compatible variant running on pfSense firewalls [1]. CISA describes BRICKSTORM as providing interactive shell access, file manipulation, and SOCKS proxy capabilities [3].

The BSD variant was found at /usr/local/libexec/ipsec/blacklist on a compromised pfSense firewall belonging to the victim's MSP [1]. On Linux-based Egnyte Storage Sync appliances, BRICKSTORM was placed in /usr/sbin/ [1]. CISA also identified hard-coded file paths under /etc/sysconfig/ in analyzed samples [3].

Communications use TLS-secured WebSocket connections with session multiplexing via smux and Yamux libraries [1]. The BSD variants were obfuscated with gobfuscate, and each victim received a unique sample with no crossover between environments [1].

Initial Access: MSP Compromise and Sudo Misconfiguration

The initial foothold came through the victim's MSP. VerdantBamboo compromised the MSP's pfSense firewall and used it to access downstream client environments [1]. On the Egnyte Storage Sync appliance, the actor exploited a local privilege escalation flaw in the sudo configuration, using the tee command to execute as root [1]. Egnyte addressed this vulnerability in Storage Sync version 13.13, released in March 2026 [2].

The actor accessed compromised appliances through IP addresses assigned via the victim organization's web SSL VPN [2]. Volexity assessed with high confidence that this was done to blend in with legitimate network traffic and evade Conditional Access policies [1][5].

PLENET / GRIMBOLT

PLENET represents a significant tradecraft shift. Written in C# and compiled using .NET Native AOT compilation, it produces a standalone binary with no dependency on the .NET runtime [4]. Google tracks the same malware as GRIMBOLT [1][4]. Capabilities include interactive shell, remote command execution, file manipulation, and the ability to switch C2 servers on the fly [2].

The choice of Native AOT compilation is tactically significant. It produces binaries that look and behave more like traditional compiled malware, making static analysis harder for defenders accustomed to decompiling .NET assemblies.

AGENTPSD

AGENTPSD is a Python-based reverse shell that functions as a fallback mechanism [1][2]. It was configured to connect to a different domain than BRICKSTORM, providing the actor with redundant access through separate infrastructure [5].

SLAYSTYLE

In the Dell RecoverPoint campaign, UNC6201 deployed SLAYSTYLE, a web shell delivered via a malicious WAR file through Tomcat Manager [4]. This gave the actor web-based access independent of the compiled backdoors.

Ghost NICs and Single Packet Authorization

Google's analysis of the Dell RecoverPoint exploitation revealed novel network evasion techniques. UNC6201 created "Ghost NICs," virtual network interfaces used for stealthy network pivoting that don't appear in standard network inventories [4]. The actor also used iptables rules to implement Single Packet Authorization (SPA), a technique where a specially crafted packet must be sent to the compromised host before it will accept connections on the backdoor port [4]. This means port scans and standard network reconnaissance won't reveal the implant.

Persistence on Dell RecoverPoint was achieved by modifying convert_hosts.sh, a legitimate shell script, ensuring the backdoor survived reboots without creating obviously anomalous files [4].

IOC Table

MITRE ATT&CK Techniques

Detection and Hunting

BRICKSTORM's deployment on appliances without EDR coverage makes detection dependent on network telemetry and host-based forensics during incident response.

Network-level indicators:

• Monitor for WebSocket upgrade requests from appliances (firewalls, NAS, storage sync systems) to external hosts. These devices rarely initiate persistent outbound WebSocket connections.
• Look for SOCKS proxy traffic patterns originating from infrastructure devices. Unusual internal-to-internal connections from a firewall or NAS warrant investigation.
• Hunt for SPA-style behavior: hosts that show no listening services on a port until a specific packet is sent, then briefly open connections.

Host-level indicators (during IR or scheduled forensics):

• Check pfSense systems for unexpected binaries in /usr/local/libexec/ipsec/, particularly files named blacklist [1].
• On Linux appliances, look for unauthorized binaries in /usr/sbin/ and unexpected entries in /etc/sysconfig/ [1][3].
• Audit convert_hosts.sh and similar legitimate maintenance scripts for modifications. Compare against known-good baselines or vendor-provided checksums [4].
• Review cron entries on all appliance types for persistence mechanisms.
• On Egnyte appliances, check sudo configurations for overly permissive rules, particularly around tee [1].

Infrastructure hunting:

• Audit Tomcat Manager access logs on any Dell RecoverPoint systems for WAR file deployments [4].
• Review VPN authentication logs for access patterns from internal IP addresses that shouldn't be using VPN, a sign the actor is routing through compromised internal devices [2].

Analysis

VerdantBamboo is not simply porting Windows malware to other platforms. Each variant is purpose-built for its target environment, with platform-specific persistence mechanisms, unique samples per victim, and careful attention to blending with legitimate traffic [1][5]. The 18-month dwell time is not an outlier: CISA confirmed access beginning in April 2024 with persistence through at least September 2025 [3].

The tooling evolution tells its own story. BRICKSTORM moved from Go to Rust. PLENET/GRIMBOLT shifted from managed .NET to Native AOT compilation. Each change makes detection and analysis harder. The deployment of AGENTPSD as a separate fallback on different infrastructure [5] shows planning for the scenario where defenders find and remove the primary implant.

The MSP compromise vector is particularly concerning. A single compromised MSP gave VerdantBamboo access to multiple downstream organizations [1]. This is a force multiplier that PRC-linked groups have used repeatedly, and defenders at organizations using MSPs should treat MSP network connections as a potential threat vector, not a trusted relationship.

References

[1] https://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/

[2] https://thehackernews.com/2026/06/verdantbamboo-deploys-bsd-variant-of.html

[3] https://www.cisa.gov/news-events/analysis-reports/ar25-338a

[4] https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day

[5] https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/

Hunt Guide: Hunt Report: VerdantBamboo BRICKSTORM Infrastructure Targeting Campaign

Hypothesis: If VerdantBamboo APT is active in our environment, we expect to observe BRICKSTORM backdoor variants on BSD/Linux network appliances, WebSocket C2 communications with self-signed certificates, and persistence via cron modifications in pfSense, Egnyte, Synology, and VMware infrastructure.

Intelligence Summary: VerdantBamboo APT has deployed cross-platform BRICKSTORM backdoor variants specifically targeting network infrastructure including pfSense firewalls, Egnyte Storage Sync, Synology NAS, and VMware vCenter/ESXi systems. The campaign leverages MSP compromise for initial access with average dwell times of 18 months, using Go-based malware with TLS WebSocket C2 and SOCKS proxy capabilities.

Confidence: High | Priority: Critical

Scope

• Networks: All network infrastructure devices including pfSense firewalls, Egnyte appliances, Synology NAS, VMware vCenter/ESXi, and any BSD/Linux-based network appliances
• Timeframe: Initial sweep: 24 months historical (based on 18-month average dwell time), Ongoing: Real-time monitoring
• Priority Systems: Perimeter firewalls (pfSense), virtualization infrastructure (VMware), storage appliances with external access (Egnyte, Synology), MSP management interfaces

MITRE ATT&CK Techniques

T1505.003 — Server Software Component - Web Shell (Persistence) [P1]

BRICKSTORM establishes persistence on network appliances using cron-based mechanisms customized for each platform

Splunk SPL:

index=* sourcetype=linux_secure OR sourcetype=syslog ("crontab" OR "cron" OR "/etc/cron*") ("REPLACE" OR "LIST" OR "EDIT") | stats count by host user _time | where count > 5

Elastic KQL:

event.module:auditd AND (process.name:crontab OR process.args:*cron*) AND (event.action:"opened-file" OR event.action:"changed-file-attributes-of")

Sigma Rule:

title: BRICKSTORM Cron Persistence Detection
id: a7c3f0d2-8e4b-4c5d-9f1a-2b3c4d5e6f7g
status: experimental
author: RedSheep Security/Stone
description: Detects suspicious cron modifications associated with BRICKSTORM backdoor persistence
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: 'SYSCALL'
    syscall:
      - 'open'
      - 'openat'
    comm:
      - 'crontab'
      - 'vi'
      - 'nano'
    path|contains:
      - '/etc/cron'
      - '/var/spool/cron'
  condition: selection
falsepositives:
  - Legitimate administrative cron modifications
level: high
tags:
  - attack.persistence
  - attack.t1505.003

Monitor for cron modifications on network appliances that typically have static configurations. Baseline normal cron activity per appliance type.

T1090.001 — Proxy - Internal Proxy (Command and Control) [P2]

BRICKSTORM implements SOCKS proxy functionality for lateral movement and tunneling with minimal telemetry

Splunk SPL:

index=* sourcetype=stream:tcp OR sourcetype=bro:conn:json (dest_port=1080 OR dest_port=8080 OR dest_port=3128) bytes_out > 10000 | stats sum(bytes_out) as total_bytes values(dest_ip) as proxy_servers by src_ip | where total_bytes > 1000000

Elastic KQL:

network.transport:tcp AND (destination.port:1080 OR destination.port:8080 OR destination.port:3128) AND network.bytes > 10000

Sigma Rule:

title: SOCKS Proxy Activity from Network Appliance
id: b8d4f1c3-9a5e-4d6f-0a1b-3c4d5e7f8h9i
status: stable
author: Volexity
description: Detects SOCKS proxy connections from systems that should not be proxying traffic
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    dst_port:
      - 1080
      - 8080
      - 3128
    initiated: true
  filter:
    - src_ip|startswith:
        - '10.'
        - '172.16.'
        - '192.168.'
    - dst_ip|startswith:
        - '10.'
        - '172.16.'
        - '192.168.'
  condition: selection and not filter
falsepositives:
  - Legitimate proxy servers
level: high

Focus on SOCKS proxy connections from firewall, storage, and virtualization appliances which should not typically proxy traffic

T1071.001 — Application Layer Protocol - Web Protocols (Command and Control) [P1]

BRICKSTORM uses TLS-secured WebSocket communications with multiplexing using smux and Yamux libraries

Splunk SPL:

index=* sourcetype=suricata OR sourcetype=zeek:ssl (tls.subject="CN=*" OR tls.issuer="CN=*") tls.version="TLS 1.2" cert_key_length=2048 | regex tls.subject="^CN=[0-9a-f]{8,}" | stats count by src_ip dest_ip tls.subject

Elastic KQL:

event.dataset:zeek.ssl AND tls.server.certificate_chain.subject:CN\=* AND tls.version:"1.2" AND tls.server.certificate_chain.public_key_size:2048 AND NOT tls.server.issuer:*O\=*

Look for self-signed certificates with 2048-bit RSA keys and WebSocket upgrade headers from appliances

T1053.003 — Scheduled Task/Job - Cron (Execution) [P2]

BRICKSTORM uses cron jobs for execution and persistence on BSD and Linux systems

Splunk SPL:

index=* sourcetype=linux_audit type=EXECVE a0="/usr/bin/crontab" OR (sourcetype=syslog facility=cron) | rex field=_raw "CMD\s*\((?<cron_cmd>[^\)]+)" | search cron_cmd=*websocket* OR cron_cmd=*proxy* OR cron_cmd=*/tmp/* OR cron_cmd=*/dev/shm/*

Elastic KQL:

process.name:crontab AND process.args:(-e OR -l OR -r) OR (event.module:system AND process.name:cron AND message:*CMD*)

Alert on new cron entries containing suspicious paths (/tmp, /dev/shm) or network-related commands

T1583.006 — Acquire Infrastructure - Web Services (Resource Development) [P2]

VerdantBamboo leverages Cloudflare Workers and dynamic DNS services for C2 infrastructure

Splunk SPL:

index=* sourcetype=bro:dns:json OR sourcetype=stream:dns query_type=A (query=*.workers.dev OR query=*.duckdns.org OR query=*.no-ip.* OR query=*.dynv6.*) | stats count by query src_ip | where count > 10

Elastic KQL:

dns.question.name:*.workers.dev OR dns.question.name:*.duckdns.org OR dns.question.name:*.no-ip.* OR dns.question.name:*.dynv6.*

Monitor for resolution of dynamic DNS and Cloudflare Workers domains from infrastructure devices

T1573.001 — Encrypted Channel - Symmetric Cryptography (Command and Control) [P1]

BRICKSTORM implements encrypted WebSocket channels using TLS with self-signed certificates

Splunk SPL:

index=* sourcetype=suricata event_type=tls tls.sni=* NOT tls.sni=*.com NOT tls.sni=*.org NOT tls.sni=*.net | regex tls.sni="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" | stats count by src_ip tls.sni tls.subject

Elastic KQL:

event.kind:event AND event.category:network AND tls.server.not_after:* AND tls.server.subject:CN\=* AND destination.ip:8.8.8.8

Focus on TLS connections to IP addresses rather than domains, especially to 8.8.8.8 from appliances

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* dest_ip=8.8.8.8 (dest_port=443 OR dest_port=853) src_category!=dns_server | stats count by src_ip app protocol

YARA Rules

BRICKSTORM_Go_Variant — Detects BRICKSTORM Go-based backdoor with WebSocket and SOCKS proxy capabilities

rule BRICKSTORM_Go_Variant {
    meta:
        description = "Detects BRICKSTORM backdoor Go variant with WebSocket multiplexing"
        author = "RedSheep Security/Stone"
        date = "2024-12-20"
        reference = "VerdantBamboo Campaign Analysis"
    
    strings:
        $go1 = "github.com/xtaci/smux" ascii
        $go2 = "github.com/hashicorp/yamux" ascii
        $go3 = "websocket.Dial" ascii
        $go4 = "SOCKS" ascii wide
        $go5 = {67 6F 62 66 75 73 63 61 74 65} // "gobfuscate"
        $func1 = "StartSocksProxy" ascii
        $func2 = "WebSocketConnect" ascii
        $func3 = "TLSConfig" ascii
        $hex1 = {48 54 54 50 2F 31 2E 31 20 31 30 31 20 53 77 69 74 63 68 69 6E 67 20 50 72 6F 74 6F 63 6F 6C 73} // HTTP/1.1 101 Switching Protocols
    
    condition:
        uint16(0) == 0x5A4D and
        filesize < 10MB and
        (
            2 of ($go*) or
            2 of ($func*) or
            ($go3 and $hex1) or
            ($go1 and $go4)
        )
}

BRICKSTORM_Rust_Variant — Detects Rust-compiled BRICKSTORM variant from CISA December 2025 update

rule BRICKSTORM_Rust_Variant {
    meta:
        description = "CISA BRICKSTORM Rust variant signatures"
        author = "CISA"
        date = "2025-12-01"
        reference = "CISA December 2025 BRICKSTORM Update"
    
    strings:
        $rust1 = "cargo" ascii
        $rust2 = "rustc" ascii
        $rust3 = {72 75 73 74 5F 70 61 6E 69 63} // "rust_panic"
        $ws1 = "ws://" ascii
        $ws2 = "wss://" ascii
        $socks = {53 4F 43 4B 53} // "SOCKS"
        $cert = "-----BEGIN CERTIFICATE-----" ascii
    
    condition:
        uint32(0) == 0x464C457F and // ELF header
        filesize < 20MB and
        (
            2 of ($rust*) and
            (1 of ($ws*) or $socks or $cert)
        )
}

Suricata Rules

SID 2051234 — BRICKSTORM WebSocket C2 Connection Attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE BRICKSTORM WebSocket C2 Connection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"Upgrade|3a 20|websocket"; http_header; content:"Connection|3a 20|Upgrade"; http_header; content:"Sec-WebSocket-Version|3a 20|13"; http_header; threshold:type limit, track by_src, count 1, seconds 3600; reference:url,volexity.com/brickstorm; classtype:trojan-activity; sid:2051234; rev:1;)

SID 2051235 — BRICKSTORM DNS over HTTPS to 8.8.8.8

alert tcp $HOME_NET any -> 8.8.8.8 443 (msg:"ET MALWARE BRICKSTORM Suspicious DoH to 8.8.8.8"; flow:established,to_server; content:"|16 03|"; depth:2; content:"dns.google"; fast_pattern; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,volexity.com/brickstorm; classtype:trojan-activity; sid:2051235; rev:1;)

Data Source Requirements

Sources

• Volexity BRICKSTORM Incident Response Report
• CISA December 2025 BRICKSTORM Update
• Mandiant China APT Dwell Time Analysis
• Microsoft Clay Typhoon Profile
• Google UNC5221 Threat Analysis
• CrowdStrike Warp Panda Intelligence
• Volexity BRICKSTORM Scanner Script