Chinese APT Deploys New Malware to Keep Access to Hacked Networks

The resurgence of UNC5221, dubbed VerdantBamboo, underscores a shift in Chinese cyber‑espionage tactics toward long‑term persistence within cloud‑based services. By leveraging the Brickstorm backdoor—initially written in Golang and later rewritten in Rust—the group sidestepped conventional endpoint detection, blending malicious traffic with legitimate network flows. Their ability to maintain access for over a year before discovery highlights gaps in continuous monitoring and the challenges of detecting sophisticated, low‑noise implants in Microsoft 365 and related SaaS environments.

Technical analysis reveals a layered malware suite designed for resilience. Brickstorm’s proxy capabilities enabled credential theft and lateral movement into an organization’s SSL VPN, while the newly uncovered Plenet backdoor offered interactive shell access across Windows, Linux and macOS via a WebSocket C2 channel. A secondary Python tool, AgentPSD, served as a fallback reverse‑shell, ensuring continuity if primary implants were disrupted. The attackers also targeted peripheral devices—such as Synology NAS appliances and pfSense firewalls—demonstrating a broader attack surface that includes often‑overlooked infrastructure components.

For enterprises, the campaign signals an urgent need to reinforce zero‑trust architectures and scrutinize third‑party service providers. Continuous authentication monitoring, strict Conditional Access policies, and robust EDR solutions on both endpoints and network devices can mitigate the risk of stealthy backdoors. Sharing IOCs, as Volexity has done on GitHub, is critical for collective defense, enabling security teams to detect Brickstorm signatures, Plenet traffic patterns, and related domain infrastructure before attackers can exfiltrate data or establish new footholds.