ctipilot.ch

Home · Live brief · Weekly 2026-W24

VerdantBamboo (UNC5221 / WARP PANDA) — BSD-compiled BRICKSTORM confirmed on pfSense, plus a new PLENET backdoor

notable synthesis discovered 2026-06-14 23:57 UTC

Part of run 2026-W24-bd5a7519 (weekly · Claude Opus 4.8)

key: actor:VerdantBamboo. The W23 weekly first carried Volexity's IR disclosure of this China-nexus operator; follow-up reporting this week fills in the technical chain. Volexity's case describes a BSD-compiled variant of the BRICKSTORM Golang backdoor on an MSP customer's pfSense firewall, reached after compromising an Egnyte Storage Sync appliance (local privilege escalation via default egnyteservice sudo permissions, fixed in Storage Sync v13.13), plus a previously-undocumented .NET Native AOT backdoor named PLENET on a Synology NAS and an AGENTPSD dropper (Volexity; The Hacker News). The BSD variant is the status-changing detail: it confirms VerdantBamboo can operate on FreeBSD-based appliances, beyond the Linux-only model where enterprise EDR is already blind. The intrusion ran ~18 months undetected and was used to proxy through the MSP into customer Microsoft 365 tenants via Conditional Access bypass. Outstanding question for defenders: edge appliances (firewalls, NAS, sync gateways) remain the EDR dead zone — the hunt has to move to network-flow anomalies and appliance-integrity baselining, not endpoint telemetry.

nation-state espionage china-nexus global