A China-nexus espionage group used a BSD variant of BRICKSTORM along with PLENET and AGENTPSD to target Linux systems in an intrusion first uncovered during a September 2025 incident response engagement, according to a technical analysis from Volexity.
KEY FACTS
- Group The activity is linked to VerdantBamboo, which overlaps with clusters tracked as Clay Typhoon, UNC5221 and Warp Panda.
- Initial access The attackers compromised an Egnyte Storage Sync system by exploiting a local privilege escalation flaw.
- Targets The operation affected a victim organization, its managed services provider and a Synology NAS appliance.
- Malware The toolkit included a BSD BRICKSTORM variant, PLENET and AGENTPSD.
The report says the Storage Sync system was periodically accessed through IP addresses assigned via the victim organization’s web SSL VPN. The attackers then used the malware’s proxying functions and compromised credentials to reach the victim’s Microsoft 365 environment.
After remediation, the group returned using stolen administrative credentials to connect to a firewall, then enabled web SSL VPN access and moved to other systems. Further investigation found the same cluster had also infected the MSP’s pfSense firewall, suggesting the victim may have been compromised through that provider.
PLENET was described as a .NET Core backdoor that supports interactive shell access, remote command execution, file manipulation and command and control server switching. AGENTPSD is a Python-based reverse shell that likely served as a fallback implant.
Volexity said the issue in Egnyte Storage Sync was fixed in version 13.13, released in March 2026. It also said the initial compromise likely began at least 18 months before the incident response engagement.
WHY IT MATTERS
The case shows how intruders can combine living-off-the-land methods with malware on appliances that may not run endpoint security tools. It also highlights the risk that a managed service provider compromise can extend access into downstream customer networks.