PLENET
PLENET is a cross-platform backdoor written in .NET Core and compiled to native code using .NET Native AOT, including observed Linux-targeted samples. It has also been tracked by Google as GRIMBOLT/Grimbolt. Reported capabilities include interactive shell access, remote command execution, file manipulation, WebSocket-based command-and-control, and the ability to switch C2 servers without redeployment. Volexity identified PLENET as a previously undocumented malware family used by the China-nexus espionage actor VerdantBamboo, which overlaps with UNC5221, Clay Typhoon, and Warp Panda. In the reported intrusion, the malware was deployed over SSH to a Synology NAS after the actor regained access using stolen administrative credentials and re-enabled SSL VPN access on the victim firewall. The broader campaign targeted edge and appliance systems that typically lack EDR coverage, including Egnyte Storage Sync appliances, pfSense firewalls, and Synology NAS devices, and persisted for at least 18 months. Reported PLENET C2 IPs include 107.175.235.196, 170.187.181.243, 104.253.1.46, and 149.248.11.71.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Google earlier this February in connection with attacks mounted by a suspected China-nexus threat cluster dubbed UNC6201 that exploited a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024. | The two malware families deployed to the NAS appliance over SSH are as follows - PLENET (aka GRIMBOLT), a cross-platform backdoor developed in .NET Core... It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Specifically, developers engineered this tool, tracked under the name PLENET, using the modern .NET Core framework . Furthermore, the authors compiled the binary into native machine code using advanced ahead-of-time technologies .
The two malware families deployed to the NAS appliance over SSH are as follows - PLENET (aka GRIMBOLT), a cross-platform backdoor developed in .NET Core... It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
Using credentials they’d harvested and held in reserve, they re-enabled the SSL VPN on the external firewall, got back in, and deployed a new backdoor family – PLENET on a Synology NAS, along with a backup reverse shell called AGENTPSD.
Using credentials they’d harvested and held in reserve, they re-enabled the SSL VPN on the external firewall, got back in, and deployed a new backdoor family – PLENET on a Synology NAS, along with a backup reverse shell called AGENTPSD.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Defense Impairment
1 technique
Defense Impairment
Lateral Movement
3 techniques
Lateral Movement
Command and Control
5 techniques
Command and Control
PLENET demonstrates similar design patterns to BRICKSTORM. Like BRICKSTORM, PLENET C2 traffic uses the WebSocket protocol
Communicates with its C2 infrastructure over WebSockets, with some variants using DNS-over-HTTPS (DoH) to obscure C2 lookups from standard DNS monitoring
deploy additional malware to a Synology Network Attached Storage (NAS) appliance
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A sophisticated secondary implant for internal storage systems. It is a .NET Core-based backdoor compiled ahead-of-time into native machine code with embedded runtime libraries to hinder analysis and evade inspection.
A cross-platform .NET Core backdoor deployed to NAS/Linux environments. It supports interactive shell access, remote command execution, file manipulation, and C2 server switching.
A .NET Native AOT backdoor described as VerdantBamboo’s next-generation implant. It uses WebSockets for C2, supports multiplexed concurrent sessions, interactive shell execution, file management, and can switch C2 servers dynamically without redeployment.
A previously undocumented cross-platform backdoor compiled from .NET Core using Native AOT, deployed on a Synology NAS device as part of VerdantBamboo intrusions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.