Advanced Persistent Threat Activity
A cyber espionage group with ties to China has been linked to a campaign targeting Linux-based appliances, deploying a BSD variant of the known BRICKSTORM backdoor alongside two other malware families. The threat cluster, tracked by Volexity as VerdantBamboo and also known as Clay Typhoon and Warp Panda, was uncovered during an incident response engagement in September 2025. The attackers compromised an organization’s Egnyte Storage Sync system by exploiting a local privilege escalation flaw, which was later patched in version 13.13 released in March 2026.
The initial compromise is believed to have occurred at least 18 months before discovery. The threat actor used the malware’s proxying capabilities on the compromised appliance, combined with stolen credentials, to access the victim’s Microsoft 365 environment. This approach allowed the attackers to blend their activity with legitimate network traffic and bypass Conditional Access policies.
Broader Infrastructure Compromise
Following initial remediation efforts, the attackers regained access to the same organization by using stolen administrative credentials to connect to the firewall. They then configured web SSL VPN access to move laterally within the network, connecting to other systems and deploying additional malware on a Synology Network Attached Storage appliance. The investigation revealed that the threat actor had also compromised the victim’s Managed Services Provider by infecting its pfSense firewall with the BSD variant of BRICKSTORM around the same timeframe. This multi vector approach demonstrates the group’s persistence and sophisticated ability to maintain access across interdependent systems.
Source: The Hacker News
