A Chinese espionage group tracked as UNC5221 has been linked to attacks on Microsoft 365 environments using the Brickstorm backdoor and two previously undocumented malware tools named Plenet and AgentPSD.
An investigation found that the attackers had access to the victim’s network for at least 18 months before they were detected. The same threat actor also compromised the victim organization’s managed services provider, raising concerns that the hackers may have used the MSP as a path into the customer’s systems.
UNC5221, also known as VerdantBamboo, has been active in attacks exploiting zero-day vulnerabilities in edge devices since at least 2023. The group used Brickstorm inside several targets in the United States for more than a year before the intrusions were discovered around March 2025.
Security researchers describe Brickstorm as an advanced malware implant. Early versions were written in Golang, while newer versions have appeared in Rust. Google previously documented UNC5221’s use of the backdoor in April 2024 and again in September 2025, when the group was seen targeting legal services, software-as-a-service providers, business process outsourcing firms, and technology companies.
CISA has also warned that Chinese hackers were deploying Brickstorm against VMware vSphere servers. More recently, Google reported that the malware had been used by UNC6201 against Dell RecoverPoint for Virtual Machines.
Volexity researchers investigating one of the incidents found that VerdantBamboo had compromised an Egnyte Storage Sync system and accessed it through the victim’s web SSL VPN. From there, the attackers used Brickstorm’s proxying features and stolen credentials to reach the organization’s Microsoft 365 environment.
According to Volexity, the hackers likely used this method to blend in with normal network traffic and bypass Conditional Access policies that would otherwise have blocked their access.
The researchers later discovered that the attackers had been inside the network for at least 18 months before being detected. Even after remediation work was completed, VerdantBamboo breached the organization again.
In the second intrusion, the attackers used stolen credentials to enable and configure SSL VPN access on the victim’s firewall. They then connected to internal systems and deployed additional custom malware to a Synology NAS device.
That discovery led investigators to examine the customer’s managed services provider, where Volexity found a BSD version of Brickstorm planted on a pfSense firewall. The researchers concluded that this firewall had also been compromised at least 18 months earlier.
Volexity said it has medium confidence that the attackers used the MSP to pivot into the victim organization’s environment. Brickstorm was later deployed to the victim’s Egnyte Storage Sync appliance and to a retired Linux GroupWise email archive server.
After the attackers returned and re-established access to the victim’s infrastructure, they deployed Plenet on a Synology NAS appliance. Plenet, also tracked by Google as Grimbolt, is a cross-platform .NET-based backdoor that provides interactive shell access, remote command execution, file manipulation, and the ability to switch command-and-control servers.
Researchers said Plenet is similar in design to Brickstorm because it uses the WebSocket protocol for command-and-control communication and a multiplexing library to handle multiple data streams at the same time.
The attackers also deployed AgentPSD, a simple Python-based reverse shell utility. Volexity believes VerdantBamboo used it as a fallback persistence tool in case other malware was removed or became unavailable.
AgentPSD was configured to connect to a different domain than Brickstorm. However, researchers said it was never actually used because Brickstorm remained active, supporting the view that AgentPSD was only a backup access method.
During the investigation, Volexity attempted to map the infrastructure used by VerdantBamboo. Researchers created a fingerprint to identify IP addresses and domains used by Brickstorm for command-and-control communication.
Several machines were identified, but the threat actor took the infrastructure offline before researchers could expose more systems. Between September 18 and September 23, all servers matching the pattern stopped offering services on port 443.
Around the same time, Google also published a new report on Brickstorm activity. Volexity said this may suggest the attackers knew their operations were being investigated.
Volexity described VerdantBamboo and UNC5221 as a highly sophisticated threat actor that combines living-off-the-land techniques with custom malware. The group often targets systems that do not support endpoint detection and response tools, making detection and investigation more difficult.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The researchers have published indicators of compromise linked to the UNC5221 campaign to help defenders identify possible signs of compromise in their own environments.
