A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.
An investigation into the incident revealed that the threat actor had gained access to the victim network at least 18 months before detection, and had also compromised the victim organization’s managed services provider (MSP).
UNC5221 is also tracked as VerdantBamboo and has been involved in attacks that exploited zero-day vulnerabilities in edge devices since at least 2023.
The threat actor used the Brickstorm backdoor undetected in the environments of various targets in the United States for more than a year until the breaches were discovered around March 2025.
Researchers describe Brickstorm as “an advanced malware implant.” Initial variants were written in Golang, then new variants emerged, written in Rust.
In April 2024, Google documented UNC5221 activity using the backdoor, and then again in September 2025, describing attacks against legal services, software-as-a-service providers, business process outsourcers, and technology companies.
CISA warned about Brickstorm being deployed by Chinese hackers against VMware vSphere servers, and, more recently, Google reported that it was deployed by UNC6201 against Dell RecoverPoint for Virtual Machines.
Victim hacked twice
Volexity researchers responding to an incident last year found that VerdantBamboo compromised an Egnyte Storage Sync system and accessed it periodically through the victim’s web SSL VPN.
From this foothold and using Brickstorm proxying features and stolen credentials, the threat actor accessed the organization’s Microsoft 365 enevironment.
“Volexity assesses with high confidence that this was done to blend in with legitimate network traffic and evade Conditional Access policies that would have otherwise prevented access,” the researchers said.
Later, Volexity discovered that the hackers had spent at least 18 months on the network before being detected. Furthermore, VerdantBamboo breached the organization again after the researchers completed the remediation efforts.
In the second intrusion, the attackers used stolen credentials to enable and configure SSL VPN access on the victim’s firewall, then connected to internal systems and deployed additional custom malware to a Synology NAS device.
This triggered an investigation at the customer’s MSP, where Volexity found that VerdantBamboo had planted a BSD variant of Brickstorm on a pfSense firewall.
“Volexity concluded that this firewall, like the victim organization’s Storage Sync system, had also been compromised at least 18 months earlier.”
The researchers have medium confidence that the attacker pivoted from the MSP into the victim organization’s environment.
Brickstorm was then deployed to the victim’s Egnyte Storage Sync appliance and to a retired Linux GroupWise email archive server.
New backdoors used
Once the attackers returned a few days later and re-established access to the victim’s infrastructure, they deployed the custom malware Plenet to a Synology NAS appliance.
Plenet, also tracked as “Grimbolt” by Google, is a cross-platform .NET-based backdoor that offers interactive shell access, remote command execution, file manipulation, and command-and-control (C2) server switching.
The researchers note that Plenet is similar in design to Brockstorm, using the WebSocket protocol for C2 communications and a multiplexing library for simultaneous data streams to the server.
AgentPSD is a simple Python-based reverse shell utility that Volexity believes VerdantBamboo used as a fallback persistence mechanism if other malware was no longer accessible.
The researchers discovered that AgentPSD was configured to connect to a different domain than the one Brickstorm used. However, the malware was never used as Brickstorm was still running, which supports the assessment that AgentPSD was a secondary access mechanism.
During the investigation, Volexity tried to discover the infrastructure related to VerdantBamboo. The researchers created a fingerprint to identify IP addresses and domains Brickstorm used for C2 communication.
Although multiple machines were identified, the threat actor took the infrastructure offline before the researchers could reveal other systems.
“Between September 18 and September 23, all of the servers previously matching this pattern turned off their services on port 443.”
Around that time, Google also published a new report on Brickstorm’s activity, which may suggest that the attacker was aware of their operations being under investigation.
Volexity’s describes VerdantBamboo/UNC5221 as “a highly sophisticated threat actor” that mixes living-off-the-land techniques and malware and targets systems that do not support endpoint detection and response (EDR) solutions.
The researchers compiled a list of indicators of compromise (IOCs) linked to the investigated UNC5221 campaign and published them here.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
