Chinese espionage group UNC5221 (VerdantBamboo) has been observed maintaining long-term access to target networks, including Microsoft 365 environments, for over 18 months before detection. The threat actor utilizes a suite of custom malware, including the Brickstorm backdoor (written in Go and Rust), the .NET-based Plenet backdoor, and the Python-based AgentPSD reverse shell. Their tactics focus on compromising edge devices and infrastructure that lacks Endpoint Detection and Response (EDR) visibility, such as NAS devices, storage systems, and firewalls.
Investigations reveal that the group successfully compromised a managed services provider (MSP) to pivot into downstream victim networks and demonstrated significant persistence by re-infecting environments even after remediation efforts. By using stolen credentials to configure VPN access and leveraging WebSocket-based C2 communications, UNC5221 blends in with legitimate traffic to evade security policies. The group's infrastructure monitoring suggests they are highly responsive to public reporting, often taking command-and-control servers offline shortly after researchers publish new findings.
Top comments (0)