China’s VerdantBamboo spent 18 months inside a company’s network. The entry point was the managed service provider next door.
The incident response started with a suspicious connection from a Linux appliance. It ended with the discovery of a Chinese state-sponsored threat actor that had been silently present in two interconnected networks for at least a year and a half — and that came back through a different door within days of being evicted through the first one.
Researchers at Volexity, documented a multi-stage intrusion campaign by the threat actor it tracks as VerdantBamboo, also known as WARP PANDA and UNC5221 by other vendors, that began with a compromised file sync appliance, expanded through a breached managed service provider, and persisted through three separate re-entry attempts, each one exploiting a different piece of infrastructure that lacked endpoint detection coverage.
A File Sync Box No One Was Watching
In September 2025, Volexity was called in after a customer noticed suspicious outbound traffic from a Linux virtual machine running Egnyte Storage Sync, software designed to synchronize on-premise files with cloud storage.
Instead of connecting to Egnyte infrastructure, the appliance was making encrypted TLS connections to a threat-actor-controlled domain hidden behind Cloudflare IP addresses. It was also querying Google’s public DNS server at 8.8.8.8 via DNS over HTTPS, a technique that allows DNS lookups to masquerade as ordinary HTTPS traffic, bypassing DNS-based network monitoring.
Also read: China Sits at the Top of America’s Cyber Threat List
Forensic analysis of the appliance revealed two backdoors. The primary implant was BRICKSTORM, a Golang-based remote access trojan previously documented by CISA, Google Cloud, and NVISO in the context of Ivanti zero-day exploitation campaigns. The secondary was a previously undocumented Python reverse shell that the researchers named AGENTPSD, packaged as a native binary using PyInstaller and configured to execute once a month on the 15th as a fallback should BRICKSTORM become unavailable. Both had been on the system for at least 18 months before discovery.
VerdantBamboo’s initial foothold came through the appliance’s default service account, egnyteservice, accessed via SSH using credentials the attacker had obtained from the organization’s managed service provider. A misconfigured sudo rule on the appliance, which allowed the egnyteservice account to run the Linux tee command as root, gave the attacker an inadvertent local privilege escalation path. Using tee, they could write files anywhere on the filesystem as root, which they used to install BRICKSTORM in /usr/sbin/ and create a cron-based execution mechanism. Volexity reported the sudo misconfiguration to Egnyte, which fixed it in Storage Sync v13.13.
The MSP Was Already Compromised
As researchers examined the supply chain of the compromise, it turned its attention to the managed service provider — the third-party firm that administered the victim organization’s systems. The MSP’s pfSense firewall, a popular open-source firewall running on FreeBSD, had been compromised by multiple threat actors simultaneously: web shells, cryptocurrency miners, alternate VPN configurations, and a FreeBSD-compatible BRICKSTORM implant deployed by VerdantBamboo, disguised as a file named “blacklist” in the IPsec directory and persisted via a modified cron file. That implant beaconed to a different C2 domain than those found on the victim organization’s systems. It had also been present for at least 18 months.
Volexity assesses with medium confidence that the victim organization was first compromised via VerdantBamboo’s prior breach of the MSP — with the attacker using MSP-held administrative credentials and infrastructure access as the initial foothold into the primary target’s environment.
Three Evictions, Three Re-entries
The operational persistence VerdantBamboo demonstrated after initial discovery is the most important finding. Within days of the Storage Sync appliance and SSL VPN being taken offline, the organization’s Synology NAS device began beaconing to the same C2 domain found on the Storage Sync server.
The re-entry path was when the MSP retired the SSL VPN device during remediation, the organization’s firewall became directly accessible to the internet. VerdantBamboo connected to its administrative interface using stolen credentials that were not protected by multi-factor authentication, configured a new SSL VPN network on the firewall itself, and used that access to pivot back into the internal network.
From there, the attacker connected via SSH to the Synology NAS and deployed a third previously undocumented malware family, tracked by Volexity as PLENET — a .NET Core backdoor compiled to native code using the Native AOT framework introduced in .NET 7, which Google Cloud independently tracked under the name GRIMBOLT.
Researchers also found that VerdantBamboo had validated administrative credentials for the organization’s VMware vCenter infrastructure via web-based logins but did not proceed to deploy malware on ESXi or vCenter systems in this incident, despite public reporting that ESXi persistence is a standard behavior for this group.
The Technique That Made All of This Work
Across the entire operation, VerdantBamboo consistently used compromised devices to proxy connections into the victim organization’s Microsoft 365 environment. By routing M365 access through the organization’s own SSL VPN IP address space, the attacker’s logins appeared to originate from trusted internal infrastructure — bypassing Conditional Access policies specifically designed to block external access. Conditional Access policies in Microsoft Entra ID allow organizations to restrict cloud access by device, location, or network; VerdantBamboo rendered those controls useless by making its traffic look like it came from inside.
The entire attack surface VerdantBamboo operated against — the Egnyte appliance, the pfSense firewall, the Synology NAS — shared one characteristic; none of these devices support endpoint detection and response software. BRICKSTORM, PLENET, and AGENTPSD were all deployed on infrastructure that sits permanently outside the EDR visibility layer that most security teams treat as their primary detection surface.
VerdantBamboo did not breach this organization through a zero-day exploit on a managed Windows endpoint. It entered through the blind spots — the devices that sit on the network and are administered via web interface and SSH, with no agent, no behavioral monitoring, and no MFA on their administrative accounts.
Researchers recommended enforcement of MFA on all administrative accounts without exception, including those managing firewalls and network appliances; audit sudo configurations on Linux appliances for inadvertent privilege escalation paths; ensure that network appliances are never exposed directly to the internet following remediation work; and extend network monitoring coverage to all devices capable of making outbound connections, regardless of whether they support EDR agents.
