{"id":267215,"date":"2026-06-08T06:27:00","date_gmt":"2026-06-08T10:27:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/08\/verdantbamboo-deploys-bsd-variant-of-brickstorm-on-linux-appliances\/"},"modified":"2026-06-08T06:50:14","modified_gmt":"2026-06-08T10:50:14","slug":"verdantbamboo-deploys-bsd-variant-of-brickstorm-on-linux-appliances","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/08\/verdantbamboo-deploys-bsd-variant-of-brickstorm-on-linux-appliances\/","title":{"rendered":"VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/verdantbamboo-deploys-bsd-variant-of.html\">VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/verdantbamboo-deploys-bsd-variant-of.html\">https:\/\/thehackernews.com\/2026\/06\/verdantbamboo-deploys-bsd-variant-of.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-08 06:27:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jun 08, 2026<\/span><\/span><span class=\"p-tags\">Cyber Espionage \/ Malware<\/span><\/p>\n<p>A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems.<\/p>\n<p>The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo, which it said overlaps with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).<\/p>\n<p>The cybersecurity company said it discovered the intrusion during an incident response engagement in September 2025, when it emerged that the adversary had compromised an unnamed victim&#8217;s Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM. The issue was addressed in Storage Sync version 13.13, released in March 2026.<\/p>\n<p>&#8220;The appliance had periodically been accessed by VerdantBamboo via IP addresses assigned through the victim organization&#8217;s web SSL VPN,&#8221; researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster said in a technical report published last week.<\/p>\n<p>&#8220;The threat actor used the malware&#8217;s proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim&#8217;s Microsoft 365 (M365) environment.&#8221;<\/p>\n<p>It&#8217;s assessed that these steps were undertaken to blend in with legitimate network traffic and evade Conditional Access policies, with the initial compromise occurring at least 18 months before.<\/p>\n<p>Following the initial remediation, VerdantBamboo is said to have staged a return, breaching the same organization by using stolen administrative credentials to connect to the firewall, and then abusing that access to configure web SSL VPN access to the device, connect to other systems, and deploy additional malware to a Synology Network Attached Storage (NAS) appliance.<\/p>\n<p>Further investigation has since uncovered that the threat actor had in fact compromised the victim&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/verdantbamboo-deploys-bsd-variant-of.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances https:\/\/thehackernews.com\/2026\/06\/verdantbamboo-deploys-bsd-variant-of.html Publish Date: 2026-06-08 06:27:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":267217,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhni0Ay24Jcfz-LCxqQ8xD9rJais13OOnt5cfz9XtZY-4LzlGgyVY9S2Cu7V0Uo9JMjIxfyTMk8oOeaPHcIkkYnw4RMiLgYFuiS2CyHd9JAihJsC7SQ-wtm8K545YuACojNwKRfsYBXLWe8s3u1evEVjyGLI2WM9KwAYyWur_XrpPfQRF8s4CzXP8c_OU01\/s1600\/chinese.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[89,71,32,34],"class_list":["post-267215","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-flaw","tag-linux","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/267215"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=267215"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/267215\/revisions"}],"predecessor-version":[{"id":267218,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/267215\/revisions\/267218"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/267217"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=267215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=267215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=267215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}