A Breach That Kept Restarting
When Volexity responded to an incident in 2024, the immediate problem turned out to be considerably older than anyone had anticipated. The Chinese espionage group UNC5221 — also tracked under the name VerdantBamboo — had been inside the victim’s network for at least 18 months before anyone noticed. By the time detection happened, the attackers had already spread across multiple systems, stolen credentials, accessed Microsoft 365, and quietly compromised the organization’s managed services provider as well.
What followed remediation was arguably more alarming than the initial breach: VerdantBamboo came back.
The second intrusion used stolen credentials to configure SSL VPN access directly on the victim’s firewall, reconnect to internal systems, and drop additional custom malware onto a Synology NAS device — all within days of the environment supposedly being cleaned. That second entry triggered a parallel investigation at the customer’s MSP, where Volexity found a BSD variant of the Brickstorm backdoor planted on a pfSense firewall, with evidence that this device had also been compromised at least 18 months earlier.
How UNC5221 Moved Through the Environment
The initial foothold came through a compromised Egnyte Storage Sync system, which the attackers accessed periodically through the victim’s web SSL VPN. From there, UNC5221 used Brickstorm’s proxying capabilities alongside stolen credentials to reach the organization’s Microsoft 365 environment. Volexity assessed with high confidence that the group deliberately routed access this way to blend with legitimate network traffic and sidestep Conditional Access policies that would have otherwise blocked the login attempts.
Brickstorm is not a new tool, but it has evolved considerably. Early variants were written in Golang; more recent ones have been rewritten in Rust. CISA previously warned about Brickstorm being used by Chinese-linked actors against VMware vSphere servers. Google documented UNC5221 deploying the backdoor in April 2024 and then again in September 2025, targeting legal services firms, software-as-a-service providers, business process outsourcers, and technology companies. A separate group, UNC6201, deployed Brickstorm against Dell RecoverPoint for Virtual Machines. The backdoor’s adaptability — moving between operating systems, switching languages, targeting different device categories — reflects sustained development effort behind it.
Within the victim environment, Brickstorm was deployed to the Egnyte Storage Sync appliance and to a retired Linux GroupWise email archive server. The retired server is worth noting: decommissioned systems that still have network connectivity are exactly the kind of overlooked asset that persistent threat actors seek out. A machine no one is actively monitoring is a machine that won’t trigger alerts.
Three Backdoors, Each with a Different Purpose
Once VerdantBamboo re-established access after the first round of remediation, the group introduced two additional pieces of malware: Plenet and AgentPSD.
Plenet — also tracked by Google under the name Grimbolt — is a cross-platform .NET-based backdoor. It provides interactive shell access, remote command execution, file manipulation, and the ability to switch C2 servers on the fly. Volexity noted that Plenet’s architecture closely mirrors Brickstorm’s: both use the WebSocket protocol for command-and-control communications, and both employ a multiplexing library to manage simultaneous data streams back to their servers. The design similarity suggests either shared development resources or deliberate standardization across the group’s toolset — possibly both. Plenet was deployed to the victim’s Synology NAS appliance.
AgentPSD is considerably simpler: a Python-based reverse shell utility that Volexity believes VerdantBamboo positioned as a fallback persistence mechanism. It was configured to connect to a different domain than the one Brickstorm used, which indicates intentional separation — if defenders discovered and blocked one C2 infrastructure, the other would still be reachable. As it happened, AgentPSD was never actually activated during the incident because Brickstorm remained operational throughout. Its presence alone, however, confirms that the group was planning for the possibility of partial detection and building in redundancy from the start.
The combination of three tools serving three distinct roles — primary persistent access, interactive capability with server-switching, and dormant fallback — illustrates the operational depth UNC5221 brings to long-term intrusions. These are not opportunistic smash-and-grab attacks.
The MSP Problem
The compromise of the managed services provider adds a dimension that goes beyond a single victim. Volexity found that VerdantBamboo had planted the BSD variant of Brickstorm on the MSP’s pfSense firewall, and assessed with medium confidence that the attacker pivoted from the MSP into the victim organization’s environment rather than the reverse. If that pivot direction is correct, the victim network was not the entry point — it was a downstream consequence of someone else’s breach.
MSPs present a particular challenge in this type of investigation because their infrastructure sits between the attacker and multiple client environments. A compromise at the MSP level can give a persistent threat actor reach into every organization that MSP serves, often with the elevated trust and network access that managed service relationships require. Defenders responding to a breach at one organization need to ask whether their MSP has also been reviewed — and whether the MSP has the visibility to even know.
UNC5221 has been exploiting zero-day vulnerabilities in edge devices since at least 2023. The group’s focus on network perimeter hardware — VPN appliances, firewalls, NAS devices, storage sync systems — is consistent with a broader pattern of targeting infrastructure that is frequently under-monitored compared to endpoints, rarely runs endpoint detection tools, and often retains access credentials for legitimate remote management. These are not accidents of opportunity. They are architectural choices.
What 18 Months of Dwell Time Actually Means
Eighteen months of undetected access is long enough to observe an organization through multiple budget cycles, personnel changes, product launches, legal proceedings, and strategic planning discussions. For an espionage-focused group, that window is not just about data exfiltration — it is about understanding the organization well enough to know what data matters, when to collect it, and how to avoid triggering suspicion while doing so.
VerdantBamboo’s operational security during the initial intrusion held for a year and a half. The group used legitimate network traffic patterns to mask M365 access. It chose to periodically revisit the Egnyte system rather than maintain a constant connection that might stand out in logs. It planted Brickstorm on a retired server that had presumably fallen out of regular review.
None of this was accidental tradecraft. The return after remediation — using the compromised MSP infrastructure as a second route back in — suggests the group had mapped multiple entry paths before the first one was closed. AgentPSD sitting dormant on a separate C2 domain while Brickstorm ran uninterrupted is the same logic applied at the tooling level: redundancy built in ahead of time, not assembled in response to discovery.
The Brickstorm variants targeting BSD and Linux environments are not widely covered by standard enterprise detection stacks, which typically prioritize Windows endpoint coverage. A BSD backdoor on a pfSense firewall sits in exactly the gap that most security programs leave unexamined.
No Clean Ending Here
UNC5221’s activity was first formally documented in 2023. Brickstorm received public attention from Google in April 2024. CISA issued warnings about it targeting VMware environments. By March 2025, when the breaches in this case were discovered, the group had been running Brickstorm undetected across multiple U.S. targets for over a year. The gap between public disclosure of a threat actor’s tools and actual detection of those tools in victim environments remained, in this case, at least twelve months.
AgentPSD was never triggered. It was waiting on a separate domain, configured and ready, for a Brickstorm takedown that never came.
