VerdantBamboo / UNC5221 / WARP PANDA — 18-month undetected China-nexus intrusion through MSP pfSense [SINGLE-SOURCE]

First disclosed this week by Volexity's incident-response case (Volexity, 2026-06-04; daily 2026-06-05). VerdantBamboo — assessed with high confidence as UNC5221 (WARP PANDA) — entered a European organisation through its MSP's pfSense firewall with a BSD build of the BRICKSTORM Golang backdoor, then persisted across three appliances (pfSense, Synology NAS, Egnyte Storage Sync VM) that cannot run EDR by design. The M365 Conditional Access bypass — routing authentication through the Egnyte appliance's trusted egress IP — is the novel operational technique. Two previously undocumented implants: AGENTPSD (PyInstaller Python HTTPS reverse shell) and PLENET/GRIMBOLT (.NET Native AOT on Linux NAS). Outstanding question: Volexity found access dating at least 18 months back, raising the question of what else the actor collected during that window and whether the MSP has other affected European clients. The disclosure is Volexity primary IR only — no second corroborating source is available. [SINGLE-SOURCE]