Introduction to UNC5221
A Chinese espionage group tracked as UNC5221, also known as VerdantBamboo, has been involved in attacks that exploited zero-day vulnerabilities in edge devices since at least 2023.
Brickstorm Backdoor
The threat actor used the Brickstorm backdoor undetected in the environments of various targets in the United States for more than a year until the breaches were discovered around March 2025. Researchers describe Brickstorm as 'an advanced malware implant.' Initial variants were written in Golang, then new variants emerged, written in Rust.
In April 2024, Google documented UNC5221 activity using the backdoor, and then again in September 2025, describing attacks against legal services, software-as-a-service providers, business process outsourcers, and technology companies. CISA warned about Brickstorm being deployed by Chinese hackers against VMware vSphere servers, and, more recently, Google reported that it was deployed by UNC6201 against Dell RecoverPoint for Virtual Machines.
Volexity Researchers' Findings
Volexity researchers responding to an incident last year found that VerdantBamboo compromised an Egnyte Storage Sync system and accessed it periodically through the victim's web SSL VPN. From this foothold and using Brickstorm proxying features and stolen credentials, the threat actor accessed the organization's Microsoft 365 environment.
Volexity assesses with high confidence that this was done to blend in with legitimate network traffic and evade Conditional Access policies that would have otherwise prevented access.
New Backdoors Used
Once the attackers returned a few days later and re-established access to the victim’s infrastructure, they deployed the custom malware Plenet to a Synology NAS appliance. Plenet, also tracked as “Grimbolt” by Google, is a cross-platform .NET-based backdoor that offers interactive shell access, remote command execution, file manipulation, and command-and-control (C2) server switching.
AgentPSD is a simple Python-based reverse shell utility that Volexity believes VerdantBamboo used as a fallback persistence mechanism if other malware was no longer accessible. The researchers discovered that AgentPSD was configured to connect to a different domain than the one Brickstorm used.
Infrastructure and Indicators of Compromise
During the investigation, Volexity tried to discover the infrastructure related to VerdantBamboo. The researchers created a fingerprint to identify IP addresses and domains Brickstorm used for C2 communication. Although multiple machines were identified, the threat actor took the infrastructure offline before the researchers could reveal other systems.
Between September 18 and September 23, all of the servers previously matching this pattern turned off their services on port 443. Around that time, Google also published a new report on Brickstorm's activity, which may suggest that the attacker was aware of their operations being under investigation.
Conclusion and Recommendations
Volexity describes VerdantBamboo/UNC5221 as 'a highly sophisticated threat actor' that mixes living-off-the-land techniques and malware and targets systems that do not support endpoint detection and response (EDR) solutions. The researchers compiled a list of indicators of compromise (IOCs) linked to the investigated UNC5221 campaign and published them.
Security teams should be aware of the threats posed by UNC5221 and take necessary measures to protect their networks. This includes testing every layer of their security before attackers do, as security teams log 54% of successful attacks and alert on just 14%.
- Test your SIEM and EDR rules to ensure they are effective against threats like UNC5221.
- Implement breach and attack simulation to identify vulnerabilities in your network.
- Stay informed about the latest threats and indicators of compromise to stay ahead of attackers.
Source: BleepingComputer