Brickstorm malware – A Chinese espionage group tracked as UNC5221 and VerdantBamboo used the Brickstorm backdoor to hold access inside Microsoft 365 environments for more than a year, then re-entered after remediation—adding new malware along the way.
For more than a year, the access looked ordinary—just enough to blend into everyday traffic, just stealthy enough to keep sitting inside Microsoft 365 environments without triggering the alarms that usually stop intruders in their tracks.
The operator behind that persistence is tracked as UNC5221, also known as VerdantBamboo. During an investigation into an incident that was discovered around March 2025. researchers found that the threat actor gained access to the victim network at least 18 months before detection. They also compromised the victim organization’s managed services provider (MSP). giving the attackers a path in that was hard to distinguish from legitimate business activity.
Brickstorm was at the center of it. Researchers describe it as “an advanced malware implant.” Initial variants were written in Golang. and later variants emerged written in Rust. The threat actor used Brickstorm undetected in environments of various targets in the United States for more than a year until breaches were discovered around March 2025.
The long hold matters because it changes what “detection” even means. If a backdoor is present for 18 months, then the gap isn’t only about whether defenders eventually spotted something—it’s about how long attackers were able to operate while the environment looked normal.
UNC5221 is also tracked as VerdantBamboo, and has been involved in attacks exploiting zero-day vulnerabilities in edge devices since at least 2023.
Even the timeline is crowded. In April 2024, Google documented UNC5221 activity using the Brickstorm backdoor. In September 2025, Google documented additional activity, describing attacks that targeted legal services, software-as-a-service providers, business process outsourcers, and technology companies.
CISA also warned about Brickstorm being deployed by Chinese hackers against VMware vSphere servers. More recently, Google reported Brickstorm was deployed by UNC6201 against Dell RecoverPoint for Virtual Machines.
The MSP foothold—and why it worked
One of the most revealing details in the investigation came from Volexity, which responded to an incident last year. Volexity found that VerdantBamboo compromised an Egnyte Storage Sync system and accessed it periodically through the victim’s web SSL VPN.
From that foothold, using Brickstorm proxying features and stolen credentials, the threat actor accessed the organization’s Microsoft 365 environment.
Volexity assessed with high confidence that this approach was designed “to blend in with legitimate network traffic and evade Conditional Access policies that would have otherwise prevented access.”
Then, the attackers didn’t just disappear when defenders started cleaning up.
According to Volexity, the intruders had spent at least 18 months on the network before being detected, and VerdantBamboo breached the organization again after remediation efforts were completed.
Victim hacked twice
In the second intrusion, the attackers used stolen credentials to enable and configure SSL VPN access on the victim’s firewall. From there, they connected to internal systems and deployed additional custom malware to a Synology NAS device.
That set off a deeper investigation at the customer’s MSP. Volexity found that VerdantBamboo had planted a BSD variant of Brickstorm on a pfSense firewall.
“Volexity concluded that this firewall, like the victim organization’s Storage Sync system, had also been compromised at least 18 months earlier.”
Volexity also has medium confidence that the attacker pivoted from the MSP into the victim organization’s environment.
Brickstorm followed the attacker’s path. It was deployed to the victim’s Egnyte Storage Sync appliance and to a retired Linux GroupWise email archive server.
New backdoors used after re-entry
When the attackers returned a few days later and re-established access, they deployed a custom malware called Plenet to a Synology NAS appliance.
Plenet—tracked as “Grimbolt” by Google—is a cross-platform .NET-based backdoor. It provides interactive shell access, remote command execution, file manipulation, and command-and-control (C2) server switching.
Volexity notes that Plenet is similar in design to Brockstorm, using the WebSocket protocol for C2 communications and a multiplexing library for simultaneous data streams to the server.
AgentPSD added another layer. AgentPSD is a simple Python-based reverse shell utility that Volexity believes VerdantBamboo used as a fallback persistence mechanism if other malware was no longer accessible.
Volexity found that AgentPSD was configured to connect to a different domain than the one Brickstorm used. Even so, the malware was never used as Brickstorm was still running, which supports Volexity’s assessment that AgentPSD functioned as a secondary access mechanism.
When investigators tried to map the infrastructure, the attackers adjusted again. Volexity created a fingerprint to identify IP addresses and domains Brickstorm used for C2 communication. Although multiple machines were identified, the threat actor took the infrastructure offline before researchers could reveal other systems.
Between September 18 and September 23, all of the servers previously matching this pattern turned off their services on port 443.
Around that time, Google published a new report on Brickstorm’s activity, and the timing may suggest the attacker was aware of attention being focused on their operations.
Living-off-the-land, built to survive detection gaps
Volexity describes VerdantBamboo/UNC5221 as “a highly sophisticated threat actor” that mixes living-off-the-land techniques and malware. The target set also matters: Volexity says it targets systems that do not support endpoint detection and response (EDR) solutions.
For defenders, the operational details come with a sharper edge when paired with the repeated intrusions. It wasn’t a single breach that ended with a removal task. It was access that endured, plus an exit-and-return cycle that continued even after remediation.
The researchers compiled a list of indicators of compromise (IOCs) linked to the investigated UNC5221 campaign and published them.
UNC5221 VerdantBamboo Brickstorm Microsoft 365 MSP compromise Egnyte Storage Sync SSL VPN pfSense Synology NAS Plenet Grimbolt AgentPSD cybersecurity malware C2 conditional access CISA Google report Volexity
So Microsoft 365 was hacked for 18 months and nobody noticed??
I don’t get it, if it “looked ordinary” then what exactly were the alarms even for. Sounds like security theater to me. Also Chinese espionage group… so we’re just supposed to shrug?
Wait, this says they got into the MSP first? so like it’s your IT company’s fault more than the actual business? But then it says they added new malware after remediation which sounds like Microsoft fixed it and they just came back later like a boomerang. Idk.
18 months is insane. I saw something like this before where they said “Golang then Rust” and I’m like cool, so tech guys wrote it with different languages, that means it’s not a real hack?? Because people keep saying ‘just phishing’ but this is deeper. Also UNC5221 and VerdantBamboo names sound made up, like maybe it’s just Microsoft branding the culprit.