Rupert Marais is our in-house security specialist with deep-rooted expertise in endpoint and device security, cybersecurity strategies, and network management. Throughout his career, Rupert has navigated the complex landscape of state-sponsored espionage, helping organizations fortify their defenses against some of the world’s most sophisticated threat actors. His recent analysis of Chinese advanced persistent threats (APTs) highlights a critical shift in how modern attackers bypass traditional security perimeters by targeting the very infrastructure designed to protect them.
In this discussion, we explore the evolving tactics of the group known as UNC5221, or VerdantBamboo, focusing on their use of undocumented malware to maintain long-term access to sensitive environments. We delve into the strategic exploitation of edge devices like firewalls and storage appliances, the tactical use of managed service providers as entry points, and the high-stakes game of cat-and-mouse played between researchers and attackers over command-and-control infrastructure.
Many sophisticated actors now target edge devices like firewalls and storage appliances because they often lack endpoint detection. How did UNC5221 exploit this blind spot to maintain such an incredible 18-month dwell time without being noticed?
The reality of modern network defense is that we often focus our best tools, like Endpoint Detection and Response (EDR), on workstations and servers while leaving the “edges” relatively unmonitored. UNC5221 exploited this perfectly by planting themselves on an Egnyte Storage Sync system and a pfSense firewall, neither of which typically support the heavy security agents we rely on for visibility. By living on these devices, the attackers could observe the network silently, utilizing the victim’s own SSL VPN to blend in with legitimate administrative traffic. They managed to stay hidden for at least 18 months because their presence didn’t trigger the usual behavioral alarms that a compromised laptop might. It’s a chilling reminder that your security is only as strong as the devices you can’t actually see inside of, especially when they sit right on the perimeter.
The investigation revealed that the attackers didn’t just hit the primary target, but also compromised their Managed Services Provider. What does this tell us about their broader strategy for infiltrating high-value networks?
Compromising a Managed Services Provider (MSP) is the ultimate “force multiplier” for a threat actor like VerdantBamboo. By gaining a foothold in the MSP’s infrastructure—specifically their pfSense firewall—the attackers gained a trusted pathway into the client’s environment that bypassed many standard security hurdles. We found that the firewall at the MSP had been compromised for the same 18-month period as the victim’s internal systems, suggesting a coordinated, long-term campaign. This strategy allows the attacker to pivot from a single breach into multiple downstream organizations, essentially using the MSP’s own management tools as a delivery vehicle for their secondary objectives. It shows a level of patience and strategic planning that goes far beyond simple opportunistic hacking; they are playing a very long game.
We’ve seen the Brickstorm backdoor evolve from being written in Golang to more recent variants in Rust. From a defensive perspective, why is this shift in programming languages significant for an “advanced malware implant”?
The shift from Golang to Rust is a calculated move to increase both the efficiency and the stealth of the Brickstorm backdoor. Rust offers incredible performance and memory safety, but more importantly for the attacker, it creates binaries that are more complex and harder for traditional antivirus engines to signature and analyze. By the time researchers caught up with the Go versions, the threat actor had already pivoted to Rust, which was seen being deployed against Dell RecoverPoint for Virtual Machines and VMware vSphere servers as late as September 2025. This constant evolution forces security teams to constantly update their detection logic, as the underlying structure of the malware changes even if the core functionality—like the use of the WebSocket protocol for C2 communication—remains similar. It’s a technical arms race where the attackers are using modern development practices to stay one step ahead of the researchers.
The researchers noted that the organization was breached a second time almost immediately after remediation. How were the attackers able to regain access so quickly, and what does this say about the effectiveness of traditional cleanup efforts?
The second intrusion was a masterclass in persistence and the exploitation of residual access. Even after the initial remediation, VerdantBamboo used stolen credentials they had harvested earlier to re-enable and configure SSL VPN access directly on the victim’s firewall. This allowed them to simply walk back through the front door, where they quickly deployed additional custom malware like Plenet to a Synology NAS device to ensure they wouldn’t be easily evicted again. This highlights a common failure in incident response: if you don’t rotate every single credential and audit every configuration change on your edge devices, the attacker’s “backdoor” might just be a legitimate feature you forgot to lock down. They proved that simply removing the malware isn’t enough if you haven’t fundamentally regained control over your identity and access management.
During the investigation, the threat actor took their entire infrastructure offline right as researchers were closing in. What does this level of operational security suggest about their awareness and the resources at their disposal?
The precision of their operational security is frankly impressive and a bit unsettling. Between September 18 and September 23, 2025, every single server matching the Brickstorm C2 fingerprint suddenly went dark on port 443. This timing coincided almost perfectly with the publication of new research reports, suggesting that UNC5221 is actively monitoring the security community’s findings in real-time. They aren’t just automated scripts; there are people behind those screens watching our moves just as closely as we watch theirs. By burning their entire infrastructure the moment it was “outed,” they demonstrated that they have the resources to rebuild and relocate their operations instantly, sacrificing short-term access to protect the long-term viability of their campaign.
What is your forecast for the future of edge device security in the face of such persistent APT activity?
I expect we will see a dramatic and necessary “re-perimeterization” of the network where edge devices are no longer treated as black boxes. In the coming years, manufacturers of firewalls, NAS devices, and storage appliances will be forced to provide deeper telemetry and support for third-party security integrations, as the 18-month dwell times we saw in this case are simply unacceptable. We will likely see a surge in “Zero Trust” architectures that don’t just verify the user, but constantly verify the integrity of the device itself, regardless of whether it’s a laptop or a core network switch. If we don’t start treating our edge infrastructure with the same level of scrutiny as our endpoints, these sophisticated actors will continue to use our own gatekeepers as their most effective hiding spots.
