VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances

A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems. The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo, which it said overlaps with hacking groups known as Clay Typhoon (Microsoft),

The article reports that the China-linked VerdantBamboo threat cluster deployed a BSD variant of the BRICKSTORM backdoor, along with PLENET and AGENTPSD malware, to compromise Linux-based edge appliances such as pfSense firewalls and NAS/storage systems, including via a managed service provider’s infrastructure.[1][2] Volexity found the group exploiting local privilege escalation, misconfigured sudo rules, and the limited monitoring on appliances to maintain long-term, stealthy access across multiple environments.[1][2] From a CyberSE.AI perspective, this highlights a critical AI and IT supply chain risk: the same appliance and MSP blind spots exploited by VerdantBamboo for infrastructure access could be used to gain indirect control over AI workloads, models, and data that transit or depend on those network devices. Organizations should treat firewalls, storage sync systems, NAS, and MSP-managed appliances as part of their AI supply chain, enforcing strong hardening, MFA, configuration review, SBOM-driven patching, and compensating monitoring controls to prevent stealthy compromise that could later be leveraged against AI systems and agents.