216.73.217.22

VerdantBamboo: Just Another BRICKSTORM in the Firewall

· Published 05/06/2026 18:07 · Modified 08/06/2026 08:54

Export JSON

Essential information

Published
05/06/2026 18:07
Modified
08/06/2026 08:54
Tags
2026-06-05 brickstorm verdantbamboo
Related entities
32 observables, 1 intrusion sets (apt), 19 techniques (mitre), 3 malware, 12 others

Description

Chinese threat actor compromised a victim organization and its Managed Services Provider over an 18-month period, deploying malware on network edge devices lacking EDR coverage. The initial breach involved an Egnyte Storage Sync system, where attackers exploited a sudo misconfiguration for privilege escalation and installed backdoor and AGENTPSD fallback implant. Investigation revealed the MSP's pfSense firewall was also compromised with a FreeBSD variant of . After remediation, regained access through stolen firewall credentials, enabling custom VPN access and deploying PLENET backdoor on a Synology NAS. The threat actor leveraged compromised systems as proxies to access Microsoft 365 environments while evading security controls. demonstrated operational discipline by targeting appliances without EDR capabilities and using sophisticated malware including PLENET, compiled with .NET Native AOT to hinder analysis.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (32)

  • 5.223.58.4
  • 192.3.30.159
  • 159.223.77.60
  • 5.223.68.181
  • 5.223.49.77
  • 104.253.1.46
  • 5.223.42.12
  • 66.59.196.250
  • 173.254.201.16
  • 172.245.5.22
  • 107.175.235.196
  • 170.187.181.243
  • 144.202.50.151
  • 149.248.11.71
  • www.natsupport.net
  • e28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0
  • 42692bd13333623e9085d0c1326574a3391efcbf18158bb04972103c9ee4a3b8
  • dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591
  • aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
  • 40d264cf9c73923932c3dfd52d20f46ff602be3fea8dc6ecc71aca46e6067bf5
  • eb141a43958802727a6c813452450c10b92704bea4474ee5fd87c0a1be326e2e
  • 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
  • 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830
  • b42159d68ba58d7857c091b5acc59e30e50a854b15f7ce04b61ff6c11cdf0156
  • 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a
  • ee41e06ed96182ce80cd4544a6abd5d7719c4a5c0e5ddb266a83842d39b99b0a
  • 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
  • f06457d2be0840faac9f0a91e63e33f932bf82922b25ac8c046fab38bb1e0b36
  • 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
  • f70abe93112637d3ec2f6c5e058ccac0307ebf63e496f38588cbfc17a8f8a264
  • e981fc4eaaa6417e6034e21438e55c0360773674a6fc0b63c1b95026449e5254
  • 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759

Intrusion sets (APT) (1)

  • VerdantBamboo
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 08/06/2026 10:53 · Modified 08/06/2026 10:53

Techniques (MITRE) (19)

Malware (3)

  • PLENET
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 08/06/2026 10:53 · Modified 08/06/2026 10:53
  • AGENTPSD
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • BRICKSTORM
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07

Others (12)

  • bititer.org
  • devs.calixcloudinfo.com
  • service.systemsvcs.com
  • calixcloudinfo.com
  • winfoacacorp.com
  • faoith.com
  • kitfloor.org
  • barannclinic.com
  • natsupport.net
  • systemsvcs.com
  • performanceviewtools.com
  • fiveworkscorp.com

External references