VerdantBamboo Deploys BSD BRICKSTORM Backdoor Targeting Linux and Network Appliances

Active nation-state threat activity just expanded its reach. Volexity has attributed a new campaign to VerdantBamboo, a China-nexus cyber espionage group, now deploying three malware families against Linux systems — including a previously unseen BSD variant of the BRICKSTORM backdoor.

What Happened

According to The Hacker News, VerdantBamboo is actively deploying:

• BRICKSTORM (BSD variant) — a new port of the documented backdoor, now targeting BSD-based network appliances
• PLENET (also tracked as GRIMBOLT) — a second-stage implant for Linux systems
• AGENTPSD — a third malware family rounding out the group's updated Linux toolkit

BRICKSTORM was previously associated with Windows and VMware ESXi environments. A BSD variant strongly implies the group is now targeting network-edge appliances — firewalls, VPN concentrators, and load balancers — many of which run BSD-derived operating systems or kernels, including products from Fortinet, Palo Alto Networks, and Check Point.

Why It Matters

Network appliances are high-value targets precisely because they sit at the perimeter, process all traffic, and are routinely under-monitored relative to servers and endpoints. A backdoor on a firewall or VPN gateway gives an attacker persistent, privileged visibility into the entire network — without ever touching an internal host.

If your existing detection signatures are keyed to Windows or ESXi BRICKSTORM variants, they will not fire on this. The expansion to BSD is a deliberate evasion of signature coverage defenders already have in place.

The simultaneous deployment of two additional families (PLENET/GRIMBOLT and AGENTPSD) signals a deliberately layered implant strategy — if one tool is burned, others provide fallback persistence. This is not a smash-and-grab; it is long-term espionage infrastructure.

What to Do

Do these now:

1. Pull Volexity's IoC set and run it against your SIEM, EDR, and firewall logs. Prioritize indicators for BRICKSTORM, PLENET/GRIMBOLT, and AGENTPSD across both Linux hosts and BSD-based appliances.

1. Audit your network appliance estate. Identify which firewalls, VPNs, and load balancers run BSD-derived OSes and cross-check firmware versions against current vendor security advisories.

1. Hunt outbound connections from appliances. BRICKSTORM-class implants beacon to C2 infrastructure. Look for anomalous outbound TCP/HTTPS connections from devices that should have constrained or no egress.

1. Apply pending firmware updates immediately on all network appliances. Nation-state groups routinely exploit known-but-unpatched vulnerabilities to establish initial access before deploying implants.

1. Lock down management interfaces. Ensure out-of-band management planes are not internet-reachable, MFA is enforced, and admin credentials have been rotated in the last 90 days.

If you are running any network appliance and have not audited it for implants recently, treat this disclosure as your trigger. Volexity's full research is the authoritative source for detection logic and attribution details.