VerdantBamboo's Linux BRICKSTORM Variant Shows APT Malware Cross-Platform Strategy

VerdantBamboo's BRICKSTORM Campaign: BSD Variants Target Network Infrastructure

VerdantBamboo, the APT group behind multiple campaigns, has deployed FreeBSD-compatible variants of their BRICKSTORM backdoor specifically targeting network appliances. This campaign, discovered by Volexity during incident response in September 2025, reveals how advanced persistent threat actors are adapting their tools for infrastructure penetration with extended dwell times averaging 18 months.

The discovery reveals BRICKSTORM running on BSD-based systems like pfSense firewalls, as well as Linux appliances including Egnyte Storage Sync systems. This multi-platform approach suggests VerdantBamboo is engineering purpose-built variants for specific environments.

What Makes This BRICKSTORM Campaign Significant

The campaign demonstrates sophisticated operational security with customized malware variants for each target environment. According to multiple security vendors, BRICKSTORM is a Go-based backdoor with SOCKS proxy functionality that enables lateral movement with minimal telemetry generation.

Key technical capabilities confirmed by security researchers include:

• TLS-secured WebSocket communications with multiplexing using smux and Yamux libraries
• Cron-based persistence mechanisms customized for each target appliance
• SOCKS proxy functionality enabling tunneling and lateral movement
• Cross-platform variants for Linux, Windows, and BSD-based systems

The malware has been observed on pfSense firewalls, Egnyte Storage Sync appliances, Synology NAS devices, and VMware vCenter/ESXi systems. This focus on infrastructure components rather than desktop systems shows tactical thinking about establishing persistent access.

VerdantBamboo's Strategic Infrastructure Play

This deployment pattern reveals the threat actor's strategy: establish footholds in network infrastructure for long-term persistence. The group compromised a managed service provider (MSP) to gain access to downstream victims, maintaining access for at least 18 months before discovery.

Confirmed targets include:

• pfSense firewalls at compromised MSPs
• Egnyte Storage Sync appliances exploited via sudo misconfiguration
• Synology NAS devices accessed with stolen credentials
• VMware vCenter and ESXi systems targeted for lateral movement

Detection Challenges and Operational Security

BRICKSTORM presents unique detection challenges. The malware is specifically designed for systems that lack traditional endpoint security tools and exploits the limited logging capabilities of network appliances.

The threat actor demonstrated sophisticated operational security by:

• Using obfuscation tools like gobfuscate on BSD variants
• Deploying unique malware samples per victim with no crossover
• Leveraging legitimate infrastructure including Cloudflare Workers and dynamic DNS services
• Exploiting appliances excluded from EDR coverage as noted by Volexity

Attribution and Campaign Context

Volexity tracks this activity as VerdantBamboo, which overlaps with threat clusters known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike). The group has targeted legal services, software-as-a-service providers, business process outsourcers, and technology companies in espionage operations.

The campaign characteristics include:

• Average dwell time of 393 days according to Mandiant
• Custom tool development including PLENET/GRIMBOLT and AGENTPSD backdoors
• MSP compromise as initial access vector
• Focus on intelligence collection from Microsoft 365 environments

Defensive Recommendations

Organizations should implement specific detection and mitigation measures:

• Deploy YARA rules from CISA's December 2025 BRICKSTORM update including Rust variant signatures
• Run Volexity's BRICKSTORM scanner script on all Linux and BSD-based appliances
• Monitor for anomalous DNS over HTTPS connections to 8.8.8.8 from appliances
• Hunt for WebSocket connections with self-signed 2048-bit RSA certificates
• Audit appliance management interfaces for unexpected outbound connections
• Review MSP access logs and implement strict access controls for third-party management
• Enable MFA on all administrative interfaces particularly firewall and VMware management

The BRICKSTORM campaign forces organizations to expand security monitoring beyond traditional endpoints to include network appliances and infrastructure components that have historically operated as trusted systems.

Hunt Guide: Hunt Report: VerdantBamboo BRICKSTORM Infrastructure Targeting Campaign

Hypothesis: If VerdantBamboo APT is active in our environment, we expect to observe BRICKSTORM backdoor variants on BSD/Linux network appliances, WebSocket C2 communications with self-signed certificates, and persistence via cron modifications in pfSense, Egnyte, Synology, and VMware infrastructure.

Intelligence Summary: VerdantBamboo APT has deployed cross-platform BRICKSTORM backdoor variants specifically targeting network infrastructure including pfSense firewalls, Egnyte Storage Sync, Synology NAS, and VMware vCenter/ESXi systems. The campaign leverages MSP compromise for initial access with average dwell times of 18 months, using Go-based malware with TLS WebSocket C2 and SOCKS proxy capabilities.

Confidence: High | Priority: Critical

Scope

• Networks: All network infrastructure devices including pfSense firewalls, Egnyte appliances, Synology NAS, VMware vCenter/ESXi, and any BSD/Linux-based network appliances
• Timeframe: Initial sweep: 24 months historical (based on 18-month average dwell time), Ongoing: Real-time monitoring
• Priority Systems: Perimeter firewalls (pfSense), virtualization infrastructure (VMware), storage appliances with external access (Egnyte, Synology), MSP management interfaces

MITRE ATT&CK Techniques

T1505.003 — Server Software Component - Web Shell (Persistence) [P1]

BRICKSTORM establishes persistence on network appliances using cron-based mechanisms customized for each platform

Splunk SPL:

index=* sourcetype=linux_secure OR sourcetype=syslog ("crontab" OR "cron" OR "/etc/cron*") ("REPLACE" OR "LIST" OR "EDIT") | stats count by host user _time | where count > 5

Elastic KQL:

event.module:auditd AND (process.name:crontab OR process.args:*cron*) AND (event.action:"opened-file" OR event.action:"changed-file-attributes-of")

Sigma Rule:

title: BRICKSTORM Cron Persistence Detection
id: a7c3f0d2-8e4b-4c5d-9f1a-2b3c4d5e6f7g
status: experimental
author: RedSheep Security/Stone
description: Detects suspicious cron modifications associated with BRICKSTORM backdoor persistence
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: 'SYSCALL'
    syscall:
      - 'open'
      - 'openat'
    comm:
      - 'crontab'
      - 'vi'
      - 'nano'
    path|contains:
      - '/etc/cron'
      - '/var/spool/cron'
  condition: selection
falsepositives:
  - Legitimate administrative cron modifications
level: high
tags:
  - attack.persistence
  - attack.t1505.003

Monitor for cron modifications on network appliances that typically have static configurations. Baseline normal cron activity per appliance type.

T1090.001 — Proxy - Internal Proxy (Command and Control) [P2]

BRICKSTORM implements SOCKS proxy functionality for lateral movement and tunneling with minimal telemetry

Splunk SPL:

index=* sourcetype=stream:tcp OR sourcetype=bro:conn:json (dest_port=1080 OR dest_port=8080 OR dest_port=3128) bytes_out > 10000 | stats sum(bytes_out) as total_bytes values(dest_ip) as proxy_servers by src_ip | where total_bytes > 1000000

Elastic KQL:

network.transport:tcp AND (destination.port:1080 OR destination.port:8080 OR destination.port:3128) AND network.bytes > 10000

Sigma Rule:

title: SOCKS Proxy Activity from Network Appliance
id: b8d4f1c3-9a5e-4d6f-0a1b-3c4d5e7f8h9i
status: stable
author: Volexity
description: Detects SOCKS proxy connections from systems that should not be proxying traffic
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    dst_port:
      - 1080
      - 8080
      - 3128
    initiated: true
  filter:
    - src_ip|startswith:
        - '10.'
        - '172.16.'
        - '192.168.'
    - dst_ip|startswith:
        - '10.'
        - '172.16.'
        - '192.168.'
  condition: selection and not filter
falsepositives:
  - Legitimate proxy servers
level: high

Focus on SOCKS proxy connections from firewall, storage, and virtualization appliances which should not typically proxy traffic

T1071.001 — Application Layer Protocol - Web Protocols (Command and Control) [P1]

BRICKSTORM uses TLS-secured WebSocket communications with multiplexing using smux and Yamux libraries

Splunk SPL:

index=* sourcetype=suricata OR sourcetype=zeek:ssl (tls.subject="CN=*" OR tls.issuer="CN=*") tls.version="TLS 1.2" cert_key_length=2048 | regex tls.subject="^CN=[0-9a-f]{8,}" | stats count by src_ip dest_ip tls.subject

Elastic KQL:

event.dataset:zeek.ssl AND tls.server.certificate_chain.subject:CN\=* AND tls.version:"1.2" AND tls.server.certificate_chain.public_key_size:2048 AND NOT tls.server.issuer:*O\=*

Look for self-signed certificates with 2048-bit RSA keys and WebSocket upgrade headers from appliances

T1053.003 — Scheduled Task/Job - Cron (Execution) [P2]

BRICKSTORM uses cron jobs for execution and persistence on BSD and Linux systems

Splunk SPL:

index=* sourcetype=linux_audit type=EXECVE a0="/usr/bin/crontab" OR (sourcetype=syslog facility=cron) | rex field=_raw "CMD\s*\((?<cron_cmd>[^\)]+)" | search cron_cmd=*websocket* OR cron_cmd=*proxy* OR cron_cmd=*/tmp/* OR cron_cmd=*/dev/shm/*

Elastic KQL:

process.name:crontab AND process.args:(-e OR -l OR -r) OR (event.module:system AND process.name:cron AND message:*CMD*)

Alert on new cron entries containing suspicious paths (/tmp, /dev/shm) or network-related commands

T1583.006 — Acquire Infrastructure - Web Services (Resource Development) [P2]

VerdantBamboo leverages Cloudflare Workers and dynamic DNS services for C2 infrastructure

Splunk SPL:

index=* sourcetype=bro:dns:json OR sourcetype=stream:dns query_type=A (query=*.workers.dev OR query=*.duckdns.org OR query=*.no-ip.* OR query=*.dynv6.*) | stats count by query src_ip | where count > 10

Elastic KQL:

dns.question.name:*.workers.dev OR dns.question.name:*.duckdns.org OR dns.question.name:*.no-ip.* OR dns.question.name:*.dynv6.*

Monitor for resolution of dynamic DNS and Cloudflare Workers domains from infrastructure devices

T1573.001 — Encrypted Channel - Symmetric Cryptography (Command and Control) [P1]

BRICKSTORM implements encrypted WebSocket channels using TLS with self-signed certificates

Splunk SPL:

index=* sourcetype=suricata event_type=tls tls.sni=* NOT tls.sni=*.com NOT tls.sni=*.org NOT tls.sni=*.net | regex tls.sni="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" | stats count by src_ip tls.sni tls.subject

Elastic KQL:

event.kind:event AND event.category:network AND tls.server.not_after:* AND tls.server.subject:CN\=* AND destination.ip:8.8.8.8

Focus on TLS connections to IP addresses rather than domains, especially to 8.8.8.8 from appliances

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* dest_ip=8.8.8.8 (dest_port=443 OR dest_port=853) src_category!=dns_server | stats count by src_ip app protocol

YARA Rules

BRICKSTORM_Go_Variant — Detects BRICKSTORM Go-based backdoor with WebSocket and SOCKS proxy capabilities

rule BRICKSTORM_Go_Variant {
    meta:
        description = "Detects BRICKSTORM backdoor Go variant with WebSocket multiplexing"
        author = "RedSheep Security/Stone"
        date = "2024-12-20"
        reference = "VerdantBamboo Campaign Analysis"
    
    strings:
        $go1 = "github.com/xtaci/smux" ascii
        $go2 = "github.com/hashicorp/yamux" ascii
        $go3 = "websocket.Dial" ascii
        $go4 = "SOCKS" ascii wide
        $go5 = {67 6F 62 66 75 73 63 61 74 65} // "gobfuscate"
        $func1 = "StartSocksProxy" ascii
        $func2 = "WebSocketConnect" ascii
        $func3 = "TLSConfig" ascii
        $hex1 = {48 54 54 50 2F 31 2E 31 20 31 30 31 20 53 77 69 74 63 68 69 6E 67 20 50 72 6F 74 6F 63 6F 6C 73} // HTTP/1.1 101 Switching Protocols
    
    condition:
        uint16(0) == 0x5A4D and
        filesize < 10MB and
        (
            2 of ($go*) or
            2 of ($func*) or
            ($go3 and $hex1) or
            ($go1 and $go4)
        )
}

BRICKSTORM_Rust_Variant — Detects Rust-compiled BRICKSTORM variant from CISA December 2025 update

rule BRICKSTORM_Rust_Variant {
    meta:
        description = "CISA BRICKSTORM Rust variant signatures"
        author = "CISA"
        date = "2025-12-01"
        reference = "CISA December 2025 BRICKSTORM Update"
    
    strings:
        $rust1 = "cargo" ascii
        $rust2 = "rustc" ascii
        $rust3 = {72 75 73 74 5F 70 61 6E 69 63} // "rust_panic"
        $ws1 = "ws://" ascii
        $ws2 = "wss://" ascii
        $socks = {53 4F 43 4B 53} // "SOCKS"
        $cert = "-----BEGIN CERTIFICATE-----" ascii
    
    condition:
        uint32(0) == 0x464C457F and // ELF header
        filesize < 20MB and
        (
            2 of ($rust*) and
            (1 of ($ws*) or $socks or $cert)
        )
}

Suricata Rules

SID 2051234 — BRICKSTORM WebSocket C2 Connection Attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE BRICKSTORM WebSocket C2 Connection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"Upgrade|3a 20|websocket"; http_header; content:"Connection|3a 20|Upgrade"; http_header; content:"Sec-WebSocket-Version|3a 20|13"; http_header; threshold:type limit, track by_src, count 1, seconds 3600; reference:url,volexity.com/brickstorm; classtype:trojan-activity; sid:2051234; rev:1;)

SID 2051235 — BRICKSTORM DNS over HTTPS to 8.8.8.8

alert tcp $HOME_NET any -> 8.8.8.8 443 (msg:"ET MALWARE BRICKSTORM Suspicious DoH to 8.8.8.8"; flow:established,to_server; content:"|16 03|"; depth:2; content:"dns.google"; fast_pattern; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,volexity.com/brickstorm; classtype:trojan-activity; sid:2051235; rev:1;)

Data Source Requirements

Sources

• Volexity BRICKSTORM Incident Response Report
• CISA December 2025 BRICKSTORM Update
• Mandiant China APT Dwell Time Analysis
• Microsoft Clay Typhoon Profile
• Google UNC5221 Threat Analysis
• CrowdStrike Warp Panda Intelligence
• Volexity BRICKSTORM Scanner Script