A China-linked espionage group kept access to a victim organization and its managed services provider for at least 18 months, using multiple backdoors to return even after cleanup. Volexity says UNC5221, also tracked as VerdantBamboo, used Brickstorm on Egnyte Storage Sync, pfSense, Synology NAS and a retired Linux email server, then used Plenet (also called Grimbolt) and AgentPSD to maintain persistence and reach the victim’s Microsoft 365 environment through stolen credentials and SSL VPN access. No new CVE is named in this report.
Why it matters: Organizations using Microsoft 365, MSPs, and internet-facing edge devices should treat this as a reminder that sophisticated attackers can survive remediation and re-enter through trusted providers. Review VPN and firewall changes, hunt for Brickstorm/Plenet/AgentPSD, audit MSP access paths, and rotate credentials and tokens tied to compromised systems.
Bill Toulas
2026.06.05
100% relevant
This article establishes a distinct incident report on UNC5221/VerdantBamboo intrusions, adding newly documented malware and concrete details about persistence through an MSP and Microsoft 365 access rather than updating one of the existing tracked stories.
← Back to all stories