News TechnologyThe estimated reading time is 7 minutes

VerdantBamboo Spent 18 Months Inside Microsoft 365 Undetected

MasonMason Miller
0 Comments

A Chinese espionage group spent at least 18 months inside a victim’s Microsoft 365 environment without triggering a single Conditional Access alert, routing traffic through a file-sync appliance that no endpoint security software monitored. Volexity, a threat intelligence and incident response firm, published its investigation on June 4, attributing the breach to the group it tracks as VerdantBamboo, also known across the industry as UNC5221 and WARP PANDA, and documenting two malware families that had not appeared in public research before.

The group also survived initial remediation. When Volexity’s client pulled the compromised appliance offline, the attackers were back inside within days, using stolen administrative credentials to re-enter through a firewall whose management interface was exposed to the public internet with no multi-factor authentication on its admin accounts.

Eighteen Months Inside the Network

The Appliance No One Was Watching

Volexity’s engagement began in September 2025, after a client noticed unusual outbound traffic from a Linux virtual machine running Egnyte Storage Sync, software designed to synchronize on-premise files with cloud storage. The appliance was making encrypted connections to a threat-actor-controlled domain behind Cloudflare IP addresses, and querying Google’s public DNS server at 8.8.8.8 via DNS over HTTPS (DoH), a technique that wraps DNS lookups inside ordinary HTTPS traffic and bypasses conventional DNS-based network monitoring.

VerdantBamboo had entered the appliance over SSH using the unprivileged egnyteservice account, credentials obtained from the victim’s managed services provider. A misconfigured sudo rule on the Egnyte device let that account run the Linux tee command as root, creating a path to write files anywhere on the filesystem without a full privilege escalation exploit. The attackers installed BRICKSTORM in /usr/sbin and set a cron job to execute it at startup; the job ran briefly and then stopped, narrowing the detection window. Filesystem snapshots taken during the investigation confirmed the implant had been present well before the incident was reported. Volexity notified Egnyte about the misconfiguration, which Egnyte patched in Storage Sync v13.13.

  • 18+ months: minimum time VerdantBamboo held access inside the victim network before its September 2025 discovery
  • 2: previously undocumented malware families found during the investigation (PLENET and AGENTPSD)
  • Storage Sync v13.13: the Egnyte version in which the exploited sudo misconfiguration was patched
  • September 18-23, 2025: the five-day window in which every identified command-and-control server shut off its port 443 services

Routing Access Through the Corporate VPN

VerdantBamboo’s path into Microsoft 365 ran through the victim’s own SSL VPN. BRICKSTORM running on the Egnyte appliance proxied the group’s connections through the corporate network so that traffic arriving at Microsoft’s authentication layer appeared to originate from a trusted internal IP address. Conditional Access policies designed to block logins from unfamiliar or foreign addresses did not fire.

Volexity assesses with high confidence that this was done to blend in with legitimate network traffic and evade Conditional Access policies that would have otherwise prevented access.

That assessment is from Volexity’s June 4 report on the VerdantBamboo campaign. It explains how the group accessed Microsoft 365 mailboxes and organizational data for more than a year without generating the alerts a direct login from an unrecognized address would have produced. Working backward through available logs, investigators placed the initial compromise no later than early 2024.

UNC5221 VerdantBamboo Microsoft 365 18 months undetected Brickstorm backdoor
UNC5221 VerdantBamboo Microsoft 365 18 months undetected Brickstorm backdoor

Coming Back After Remediation

When Volexity helped the client isolate the Egnyte appliance and disable the compromised VPN configuration, the intrusion appeared contained. Days later, the group was back.

The attackers used stolen administrative credentials to log into the victim’s firewall through its web management interface, still reachable from the public internet. Those admin accounts had no multi-factor authentication. From there, they enabled an SSL VPN tunnel, reconnected to internal systems, and first enabled SSH access on a Synology network-attached storage (NAS) device before deploying PLENET to it. The Synology, like every device targeted in this campaign, had no endpoint detection agent installed.

PLENET arrived in the Synology’s IPsec configuration directory as a file named “blacklist,” a name chosen to blend with legitimate files already in that directory. The backdoor provided remote shell access, file management, and the ability to switch command-and-control servers without redeploying the implant itself.

The investigation then expanded to the victim’s managed services provider. On the MSP’s pfSense firewall, an open-source platform running on FreeBSD, Volexity found a BSD-compatible variant of the primary backdoor in the IPsec directory, also named “blacklist” and persisted through a modified system cron file. That device had been compromised for at least 18 months too. Volexity’s examination found simultaneous intrusions from other, unrelated threat actors on the same machine: web shells, a cryptocurrency miner, and a separate group’s VPN configuration, all operating alongside the group’s implant. Volexity assessed with medium confidence that the group had first reached the primary victim through the MSP’s earlier compromise, using the provider’s administrative credentials and network access as the initial bridgehead into the target environment.

VerdantBamboo’s Malware Suite Targeted the EDR Gap

How Each Backdoor Was Built

The three tools deployed across this investigation share a single design constraint: each runs on platforms where enterprise endpoint detection and response (EDR) software cannot be installed. EDR monitors a managed computer by placing an agent that tracks process behavior and flags anomalous activity; network appliances, NAS devices, and specialized firewalls running embedded or proprietary operating systems generally do not support those agents, leaving them outside the detection surface most security operations centers treat as primary.

Malware Language Target Platforms Core Capabilities Campaign Role
BRICKSTORM Golang (early) / Rust (later) Linux, BSD appliances (Egnyte, pfSense, VMware) Shell commands, file ops, SOCKS proxy, C2 switching, WebSocket communications Primary implant
PLENET (Grimbolt) .NET Core, Native AOT compiled Linux NAS and storage devices Interactive shell, file ops, remote execution, C2 switching Post-remediation replacement
AGENTPSD Python, packaged via PyInstaller Linux systems Reverse shell, basic remote access Fallback if primary backdoor fails

BRICKSTORM stores its command protocol in a library its developers named wssoft, using WebSocket communications routed through Cloudflare infrastructure to blend C2 traffic with ordinary web activity. Early variants were written in Golang; later ones moved to Rust. The second backdoor, which Google’s Threat Intelligence Group tracks as Grimbolt, compiles .NET Core using Native Ahead-of-Time (AOT) compilation, embedding the full .NET runtime and all its dependencies into one large static binary. Without a separate runtime library to inspect, a reverse engineer must work through the entire merged file to identify the malware’s logic, a substantially more time-intensive process than standard .NET analysis. Volexity assessed with medium confidence that the AOT approach was a deliberate choice to slow analysis. AGENTPSD is a lightweight Python reverse shell bundled into a standalone binary via PyInstaller; the attackers deployed it as a fallback, and it was never activated during this engagement because the primary implant remained operational throughout.

How the C2 Infrastructure Went Offline

Volexity used a fingerprinting query on Censys, a platform that continuously scans and indexes internet-connected services, to map the primary backdoor’s command-and-control servers. The profile was consistent: minimal services on port 443, Cloudflare certificates, OpenBSD-based SSH clients. Between September 18 and September 23, 2025, every server matching that fingerprint shut off its port 443 services. Google Cloud published its own analysis of the same malware family’s activity on September 24, the day after the last identified server went dark. Volexity assessed with low confidence that VerdantBamboo had become aware the infrastructure was being mapped and shut it down before the full network scope could be documented.

The group also operates with per-victim infrastructure discipline: different C2 domains for each target organization, no reused malware samples across cases. By the time any indicator of compromise from one breach circulates through threat intelligence sharing programs, it has already expired for the target it came from.

UNC5221’s Edge-Infrastructure Playbook

UNC5221 has documented ties to internet-facing edge infrastructure exploitation going back to at least 2023. In January 2024, Mandiant (Google Cloud’s incident response unit) and Volexity jointly disclosed that the group had weaponized two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances: CVE-2023-46805, an authentication bypass, and CVE-2024-21887, a code injection flaw that chained with the bypass to grant full remote access. By January 15, 2024, that campaign had infected more than 1,700 devices worldwide, reaching government departments, military contractors, telecommunications firms, banks, and technology companies across multiple geographies.

The structure was the same as what Volexity documented nine months later: target an internet-facing appliance outside the EDR footprint, harvest credentials from it, and use the target’s own traffic patterns to mask persistent access. The specific platform changed; the reliance on unmonitored hardware did not. By April 2025, Belgian cybersecurity firm NVISO had identified new samples compiled for Windows systems, which NVISO said had been monitoring European organizations since at least 2022, extending the group’s documented operational history by three additional years.

Chinese espionage operations targeting Microsoft environments have had consequences beyond individual incident response engagements. In August 2025, following SharePoint breaches that raised concerns about advance threat alerts being exploited, Microsoft restricted early-warning access for some Chinese partner firms from its Active Protection Program, a service that shares vulnerability information with security vendors ahead of public disclosure.

Scope of UNC5221’s Campaign

Google’s Threat Intelligence Group (GTIG) and Mandiant’s consulting division had been responding to the group’s intrusions across multiple US organizations since at least March 2025. The caseload produced data that sets the Volexity investigation in a wider frame:

  • The group maintained access in victim environments for an average of 393 days before detection, a dwell time that frequently exceeded organizations’ log retention windows and eliminated forensic artifacts from the original entry point
  • Primary targets were US legal services firms, SaaS providers, business process outsourcers, and technology companies; in several cases the group specifically targeted the mailboxes of individuals working on matters aligned with PRC economic and espionage priorities, using Microsoft Entra ID Enterprise Application permissions to access mail across entire organizations
  • Lateral movement generated, per Google’s September 2025 threat intelligence report, “minimal to no security telemetry,” making post-compromise forensics difficult even when investigators knew the attacker’s general path
  • In at least one incident, a new implant was deployed on an internal VMware vCenter server while incident responders were already on-site, with the attacker monitoring the active remediation and adapting in real time to maintain persistence
  • In December 2025, CISA, the NSA, and the Canadian Centre for Cyber Security issued a joint advisory on the backdoor, drawing on indicators of compromise from eight samples collected from victim organizations

Google estimated that dozens of US organizations had been directly affected, not counting downstream victims whose exposure came through breached managed service providers. Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, said after the September 2025 disclosure that he had “no doubt that organizations will use our tools to hunt for this adversary, and they will find evidence of compromise in their environments.” Mandiant released a scanner script for Unix-based appliances designed to search for backdoor-specific string and hex patterns without requiring YARA, the standard malware signature-matching tool, to be pre-installed.

Every C2 server Volexity had fingerprinted was offline by September 23, 2025, before the full infrastructure map could be completed.

Author

Mason
Mason Miller is a versatile and experienced writer who has been working for Mind Cron. He covers a wide range of topics, from education and pets to religion and technology, with a keen eye for detail and a flair for storytelling. He has a passion for learning new things and sharing his knowledge with his readers. He has been writing articles for over 13 years, and has developed a loyal and engaged audience. He is always looking for new challenges and opportunities to improve his writing skills and expand his horizons. Mason Miller is a valuable asset to Mind Cron and a trusted source of information and entertainment for its readers.
Other Posts
  • Related Articles
  • More from Author

No related posts.

Leave a Reply

Your email address will not be published. Required fields are marked *