VerdantBamboo
VerdantBamboo is a Chinese / China-nexus cyber espionage threat actor tracked by Volexity. Volexity states the cluster overlaps with Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike); the content also refers to it as WARP PANDA and UNC5221. In the reported activity, VerdantBamboo targeted unguarded edge and proprietary appliances that typically lack EDR coverage, including Egnyte Storage Sync systems, pfSense firewalls, and Synology NAS devices, and maintained covert access in at least one victim environment for more than 18 months. Volexity also assessed with medium confidence that compromise of a managed services provider enabled downstream victim access. Observed tradecraft included use of stolen credentials over SSH, abuse of an insecure sudo configuration / local privilege escalation condition on Egnyte Storage Sync to obtain root privileges, living-off-the-land techniques, manual launch of implants to reduce static detection, cron and startup modification for persistence, use of compromised appliances as proxies, and use of stolen credentials plus SSL VPN access to reach internal systems and the victim's Microsoft 365 environment while blending with legitimate traffic and evading Conditional Access controls. After remediation, the actor reportedly regained access using stolen firewall administrative credentials where the management interface was internet-exposed and lacked MFA, then established new VPN access and moved laterally. Malware and tooling directly mentioned in the content include BRICKSTORM, described as the primary backdoor / remote access trojan used on appliance and edge systems, including a FreeBSD / BSD variant on pfSense; PLENET, a previously undocumented cross-platform backdoor written in .NET Core and compiled with Native AOT, also referred to as GRIMBOLT in the content; and AGENTPSD, a Python-based reverse shell used as a fallback implant. PLENET capabilities mentioned in the content include interactive shell, remote command execution, file manipulation, and command-and-control server switching. The content also notes use of Cloudflare-fronted infrastructure and DNS-over-HTTPS via Google Public DNS in the campaign.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
35 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
4 malware families attributed to this actor across reporting.
Observables
45 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cyber espionage campaign targeting edge appliances such as file storage sync systems and pfSense firewalls to gain long-term covert access, pivot into cloud environments, compromise managed service providers, and evade detection on systems that typically lack EDR.
China-nexus cyber espionage activity targeting Linux and appliance-like systems, including Egnyte Storage Sync, pfSense firewalls, Synology NAS, and Microsoft 365 environments. The group used compromised MSP infrastructure, stealthy access via SSL VPN, stolen administrative credentials, and malware tailored for systems that often lack EDR coverage.
Long-term espionage-style intrusions into corporate networks by compromising edge appliances and MSP infrastructure, maintaining persistence for at least 18 months, re-entering environments after eviction, and using custom malware to control firewalls, storage systems, NAS devices, and network appliances.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.