China-Nexus Group VerdantBamboo Deploys New Malware on Linux Systems
AI-generated from multiple sources. Verify before acting on this reporting.
BEIJING — A China-nexus cyber espionage group known as VerdantBamboo has deployed a new variant of the BRICKSTORM backdoor alongside two other malware families on Linux appliances, including Synology NAS devices and pfSense firewalls, security researchers confirmed Monday.
The campaign, detected on June 8, 2026, follows an initial compromise of a victim's Managed Services Provider (MSP) and Egnyte Storage Sync system. VerdantBamboo utilized the breach to gain access to Microsoft 365 environments and Linux systems globally, aiming to evade detection and bypass Conditional Access policies.
The group deployed a BSD variant of the BRICKSTORM backdoor, which is designed to maintain persistent access to compromised systems. In addition to BRICKSTORM, the attackers installed PLENET and AGENTPSD malware families. These tools are specifically tailored to operate on Linux appliances, allowing the group to establish a foothold in critical network infrastructure.
Synology NAS devices and pfSense firewalls were among the primary targets of the operation. The attackers leveraged the initial access gained through the MSP and Egnyte systems to move laterally within the victim's network. This approach allowed VerdantBamboo to bypass standard security controls and establish a presence on systems that are typically considered secure.
The campaign highlights the evolving tactics of state-sponsored cyber espionage groups. By targeting Linux appliances and Microsoft 365 environments, VerdantBamboo demonstrates a sophisticated understanding of modern network architectures. The use of multiple malware families suggests a coordinated effort to maintain access and exfiltrate data over an extended period.
Security experts note that the deployment of the BSD variant of BRICKSTORM is particularly concerning. This variant is designed to evade detection by traditional security tools, making it difficult for organizations to identify the presence of the malware. The group's ability to bypass Conditional Access policies further underscores the sophistication of their operations.
The attack has raised concerns about the security of cloud storage and network infrastructure. Organizations relying on Synology NAS devices and pfSense firewalls are advised to review their security configurations and monitor for signs of compromise. The incident also highlights the need for robust security measures to protect against advanced persistent threats.
As of Monday, the full extent of the compromise remains unclear. Security researchers are working to identify the scope of the attack and the specific data that may have been exfiltrated. The group's motives and ultimate objectives are still under investigation, with questions remaining about the long-term impact of the breach.
The incident serves as a reminder of the ongoing threat posed by state-sponsored cyber espionage groups. Organizations must remain vigilant and implement comprehensive security measures to protect against sophisticated attacks. The deployment of new malware variants and the targeting of critical infrastructure underscore the need for continuous monitoring and proactive defense strategies.