China’s VerdantBamboo Experimented With Three Re-Entries and Three Malware in a Company Network

Supply‑chain compromises have become a favorite vector for Chinese cyber‑espionage groups, and VerdantBamboo’s latest campaign underscores why. By hijacking a third‑party managed service provider, the actors slipped a malicious Egnyte Storage Sync appliance into the target’s environment. The device, unnoticed for a year and a half, ran the BRICKSTORM remote‑access trojan and a bespoke Python reverse shell, both able to persist because the appliance never hosted an endpoint detection agent. This initial breach illustrates how attackers exploit the trust placed in vendor‑managed infrastructure to gain a foothold without triggering traditional alerts.

Once inside, VerdantBamboo demonstrated sophisticated lateral movement. A mis‑configured sudo rule on the Linux appliance allowed root‑level file writes, enabling the deployment of BRICKSTORM in a system directory and a cron job for automated execution. The compromised MSP’s pfSense firewall, also infected with a BRICKSTORM variant, handed the attackers administrative credentials, which they used to create a new SSL VPN tunnel after the original VPN was taken offline. Subsequent re‑entries leveraged a Synology NAS and a .NET Core backdoor dubbed PLENET (also known as GRIMBOLT), all while routing Microsoft 365 traffic through the organization’s own VPN address space to bypass Conditional Access policies. The lack of multi‑factor authentication on these privileged accounts was a critical enabler.

The broader lesson for enterprises is clear: security must extend to every network‑visible asset, not just workstations. Organizations should enforce MFA on all administrative accounts, audit sudo configurations on Linux appliances, and ensure that firewalls, NAS devices and other appliances are never exposed directly to the internet after remediation. Deploying network‑level monitoring that captures outbound connections from non‑EDR devices can surface covert C2 traffic early. As nation‑state actors continue to weaponize supply‑chain and blind‑spot tactics, a holistic, zero‑trust approach becomes essential for defending against persistent, multi‑stage intrusions.