Chinese espionage group UNC5221, also known as VerdantBamboo, has been observed conducting long-term cyber espionage operations targeting Microsoft 365 environments and managed service providers. The group maintains persistence for extended periods—exceeding 18 months in some cases—by exploiting zero-day vulnerabilities in edge devices and utilizing the Brickstorm backdoor, which has evolved from Golang to Rust implementations.
Recent investigations reveal the deployment of new malware variants, including the .NET-based backdoor Plenet (also tracked as Grimbolt) and a Python-based reverse shell called AgentPSD. These tools allow the threat actor to bypass security controls by targeting systems that lack EDR support, such as Synology NAS appliances and pfSense firewalls, while blending in with legitimate network traffic via SSL VPNs and multiplexed C2 communications.
The threat actor demonstrates high sophistication by employing living-off-the-land techniques and specialized infrastructure designed to evade detection. Despite recent infrastructure shifts following public disclosure by security researchers, UNC5221 remains a persistent threat to software-as-a-service providers, legal services, and technology companies across the United States.
Top comments (0)