Researchers at Volexity have published a report on a cyber-espionage campaign in which a group believed to be linked to China and tracked as VerdantBamboo compromised an organization’s infrastructure via its managed service provider (MSP). The attackers deployed a BSD variant of the BRICKSTORM backdoor on the provider’s pfSense firewall and then installed two additional malware families — PLENET (GRIMBOLT) and AGENTPSD — on the victim’s Synology NAS network storage. The campaign targets organizations that use edge devices without EDR support: firewalls, NAS systems, and file synchronization servers.
Timeline and initial access vector
According to Volexity, the incident was discovered during an investigation in September 2025, but the initial compromise is estimated to have occurred at least 18 months earlier. The attack chain comprised several stages:
- MSP compromise: the attackers infected the managed service provider’s pfSense firewall with the BSD variant of BRICKSTORM, using it to gain access to the client’s infrastructure.
- Egnyte Storage Sync exploitation: a local privilege escalation vulnerability was exploited on the victim’s storage synchronization system to deploy BRICKSTORM. A fix is included in Storage Sync version 13.13, released in March 2026.
- Access to Microsoft 365: using BRICKSTORM’s proxy capabilities on the compromised synchronization system and stolen credentials, the attackers gained access to the Microsoft 365 cloud environment, disguising their traffic as legitimate and bypassing conditional access policies.
- Re-compromise: after the initial remediation of the incident, VerdantBamboo returned by using stolen administrative credentials to connect to the firewall, configure SSL VPN, and deploy malware on the Synology NAS.
Notably, access to the compromised device was carried out via IP addresses assigned by the organization’s own SSL VPN, which made it significantly harder to detect anomalies in network traffic.
Malware arsenal
Two malware families were delivered to the Synology NAS network storage over SSH:
- PLENET (GRIMBOLT) — a cross-platform backdoor written in .NET Core using native ahead-of-time (AOT) compilation. It is a new version of BRICKSTORM. It supports an interactive shell, remote command execution, file manipulation, and switching between command and control (C2) servers.
- AGENTPSD — a Python-based reverse shell, presumably serving as a backup access channel in case the primary implant fails.
The use of AOT compilation for PLENET merits separate attention: this technique makes it possible to create self-contained executables that do not depend on the .NET runtime, which simplifies deployment on devices with constrained software environments and complicates analysis.
Threat context and links
Volexity describes VerdantBamboo as a highly sophisticated actor that deliberately targets devices on which EDR software is traditionally not installed or cannot be installed. The group demonstrates deep knowledge of proprietary devices, developing custom persistence mechanisms for each compromised device.
Characteristic aspects of VerdantBamboo’s operational discipline include using a limited number of domains and IP addresses per victim, as well as tailoring implant naming conventions individually.
It is worth noting that PLENET has previously appeared in reports in connection with the exploitation of the critical vulnerability CVE-2026-22769 (CVSS 10.0) in Dell RecoverPoint for Virtual Machines, which, according to available data, had been used as a zero-day vulnerability since mid-2024.
Impact assessment
The VerdantBamboo campaign poses a high risk to organizations for several reasons:
- Supply chain attack: compromising an MSP gives attackers potential access to all of the provider’s clients, not just a single victim.
- Monitoring blind spots: firewalls, NAS devices, and file synchronization servers are generally not covered by EDR solutions, making them ideal persistence points.
- Long-term presence: the 18-month period of covert access before discovery indicates the group’s ability to maintain a stable presence in the infrastructure.
- Resilience to response efforts: after the initial remediation, the attackers restored access via alternative channels, indicating the existence of multiple persistence points.
Organizations that rely on managed services from external providers, as well as companies with large fleets of network devices lacking centralized security monitoring, are at the greatest risk.
Security recommendations
- Update Egnyte Storage Sync to version 13.13 or later, which addresses the privilege escalation vulnerability.
- Audit pfSense firewalls for unusual processes, unknown executables, and suspicious SSL VPN configurations, especially if the devices are managed by an external MSP.
- Inspect Synology NAS devices for atypical SSH connections, unknown binary files, and non-standard autostart mechanisms.
- Rotate all administrative credentials for network devices, VPN gateways, and cloud services, including Microsoft 365, particularly if MSP compromise is suspected.
- Implement network traffic monitoring on edge devices: track anomalous outbound connections from firewalls and NAS systems, as well as unusual SSL VPN usage.
- Assess MSP security: request that your managed service provider confirm integrity checks of its infrastructure and share the results of recent security audits.
The VerdantBamboo campaign illustrates a systemic shift in the tactics of advanced groups — from endpoint attacks to compromising network devices that lie outside EDR visibility. Organizations should first inventory all edge devices — firewalls, NAS systems, synchronization servers — and ensure at least basic monitoring of file system integrity and network connections for them, as well as immediately update Egnyte Storage Sync and rotate credentials on devices managed through an MSP.
