VerdantBamboo (UNC5221 / WARP PANDA) — BSD-compiled BRICKSTORM confirmed on pfSense, plus a new PLENET backdoor

key: actor:VerdantBamboo. The W23 weekly first carried Volexity's IR disclosure of this China-nexus operator; follow-up reporting this week fills in the technical chain. Volexity's case describes a BSD-compiled variant of the BRICKSTORM Golang backdoor on an MSP customer's pfSense firewall, reached after compromising an Egnyte Storage Sync appliance (local privilege escalation via default egnyteservice sudo permissions, fixed in Storage Sync v13.13), plus a previously-undocumented .NET Native AOT backdoor named PLENET on a Synology NAS and an AGENTPSD dropper (Volexity; The Hacker News). The BSD variant is the status-changing detail: it confirms VerdantBamboo can operate on FreeBSD-based appliances, beyond the Linux-only model where enterprise EDR is already blind. The intrusion ran ~18 months undetected and was used to proxy through the MSP into customer Microsoft 365 tenants via Conditional Access bypass. Outstanding question for defenders: edge appliances (firewalls, NAS, sync gateways) remain the EDR dead zone — the hunt has to move to network-flow anomalies and appliance-integrity baselining, not endpoint telemetry.