A cyber espionage group originating from China, identified as UNC5221, has been infiltrating Microsoft 365 environments utilizing the Brickstorm backdoor along with newly discovered malware named Plenet and AgentPSD.
An extensive probe into the breach disclosed that the malicious actor had infiltrated the victim’s network at least 18 months prior to detection and had also compromised the victim organization’s managed services provider (MSP).
UNC5221, also known as VerdantBamboo, has a history of exploiting zero-day vulnerabilities in edge devices since 2023.
The threat actor utilized the Brickstorm backdoor without detection in various targets across the United States for over a year until the breaches were identified around March 2025.
Researchers have described Brickstorm as a sophisticated malware implant, initially coded in Golang with subsequent variants written in Rust.
In April 2024, Google reported UNC5221 utilizing the backdoor, followed by another report in September 2025 detailing attacks on legal services, software-as-a-service providers, business process outsourcers, and technology firms.
CISA issued a warning regarding Chinese hackers deploying Brickstorm against VMware vSphere servers, and more recently, Google confirmed its use by UNC6201 against Dell RecoverPoint for Virtual Machines.
During an incident last year, Volexity researchers uncovered that VerdantBamboo compromised an Egnyte Storage Sync system and accessed it periodically through the victim’s web SSL VPN.
Using this access point, along with Brickstorm proxying capabilities and stolen credentials, the threat actor infiltrated the organization’s Microsoft 365 environment.
Volexity concluded that the attackers spent a minimum of 18 months within the network before detection. Furthermore, VerdantBamboo breached the organization again post the remediation efforts conducted by the researchers.
In the subsequent intrusion, the hackers leveraged stolen credentials to activate and configure SSL VPN access on the victim’s firewall, enabling them to connect to internal systems and deploy additional custom malware on a Synology NAS device.
Further investigation at the customer’s MSP revealed that VerdantBamboo had implanted a BSD variant of Brickstorm on a pfSense firewall.
Volexity determined that this firewall, like the victim organization’s Storage Sync system, had also been compromised at least 18 months prior.
The researchers have moderate confidence that the attacker transitioned from the MSP to the victim organization’s environment.
Brickstorm was subsequently deployed on the victim’s Egnyte Storage Sync appliance and a retired Linux GroupWise email archive server.
Upon their return a few days later, the attackers regained access to the victim’s infrastructure and introduced the custom malware Plenet to a Synology NAS appliance.
Plenet, also identified as “Grimbolt” by Google, is a cross-platform .NET-based backdoor offering interactive shell access, remote command execution, file manipulation, and command-and-control (C2) server switching.
Plenet shares similarities with Brickstorm in design, utilizing the WebSocket protocol for C2 communications and a multiplexing library for simultaneous data streams to the server.
AgentPSD, a straightforward Python-based reverse shell utility, was believed by Volexity to be a fallback persistence mechanism used by VerdantBamboo if other malware was inaccessible.
Although AgentPSD was configured to connect to a different domain than Brickstorm, it was not utilized as Brickstorm remained active, indicating it was a secondary access point.
Throughout the investigation, Volexity sought to identify the infrastructure linked to VerdantBamboo, creating a fingerprint to recognize IP addresses and domains used by Brickstorm for C2 communication.
However, the threat actor took down the infrastructure before further systems could be uncovered.
During the same period, Google released a report on Brickstorm’s activities, suggesting the attacker’s awareness of being under scrutiny.
Volexity characterizes VerdantBamboo/UNC5221 as a highly sophisticated threat actor employing living-off-the-land techniques and malware, targeting systems lacking endpoint detection and response (EDR) solutions.
The researchers compiled a list of indicators of compromise (IOCs) associated with the UNC5221 campaign, which they made publicly available.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper demonstrates how breach and attack simulation tests your SIEM and EDR rules to enhance threat detection.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
