Listen to this Post
Introduction
A newly uncovered cyber espionage campaign has revealed how modern threat actors continue to evolve beyond traditional malware deployment, leveraging stealth, persistence, and cloud infiltration to maintain long-term access inside targeted environments. Security researchers at Volexity have linked a sophisticated compromise affecting Egnyte environments and Managed Service Providers (MSPs) to a threat group known as VerdantBamboo. The operation demonstrates a high level of technical maturity, combining previously known malware such as BRICKSTORM with newly identified malware families AGENTPSD and PLENET.
What makes this campaign particularly concerning is its focus on persistence across Linux and BSD-based systems, platforms often perceived as less frequently targeted than Windows. By exploiting trusted infrastructure and maintaining covert access to cloud services including Microsoft 365, the attackers were able to remain hidden while expanding their reach inside victim networks. The discovery highlights how advanced persistent threat groups are increasingly targeting service providers and cloud-connected environments to maximize operational impact while minimizing detection.
Volexity Uncovers a Long-Running Intrusion Campaign
Security researchers from Volexity revealed evidence of a prolonged cyber espionage operation attributed to VerdantBamboo, a threat actor known for conducting stealth-focused attacks against strategic targets. The campaign appears to have remained active for an extended period before being identified, allowing attackers to establish persistence and move laterally through compromised environments.
The investigation showed that attackers were not simply deploying malware and leaving. Instead, they carefully embedded themselves into critical infrastructure, maintaining long-term access while continuously adapting their techniques to evade detection. This operational patience is characteristic of advanced espionage groups whose primary objective is intelligence collection and strategic access rather than immediate disruption.
Egnyte and MSP Infrastructure Become Prime Targets
One of the most alarming aspects of the campaign is its focus on Egnyte environments and Managed Service Providers. MSPs represent highly attractive targets because they often maintain privileged access to multiple customer networks. By compromising a single provider, attackers potentially gain indirect access to numerous organizations.
Egnyte environments offer another valuable avenue for attackers. As organizations increasingly rely on cloud-based file sharing and collaboration platforms, access to such environments can provide visibility into sensitive documents, business communications, intellectual property, and operational data.
The attack demonstrates a growing trend in cyber espionage where attackers target trusted intermediaries rather than attacking end organizations directly. This strategy significantly increases efficiency while reducing operational risk for threat actors.
BRICKSTORM Continues to Play a Critical Role
The investigation identified the continued use of BRICKSTORM, a malware framework already known within cybersecurity circles for its stealth and flexibility. BRICKSTORM serves as a foundation for maintaining access and conducting post-compromise activities.
Unlike noisy malware designed to cause immediate damage, BRICKSTORM focuses on remaining hidden. Its architecture allows operators to execute commands, gather intelligence, and establish additional footholds without triggering obvious alerts.
The
AGENTPSD Emerges as a New Malware Family
Researchers also identified a previously undocumented malware family named AGENTPSD. The malware appears designed to complement existing intrusion capabilities while extending attacker control over compromised systems.
AGENTPSD introduces additional persistence mechanisms that help attackers survive system reboots, software updates, and security interventions. Such functionality is especially valuable in long-term espionage operations where maintaining uninterrupted access is a primary objective.
The emergence of AGENTPSD illustrates how threat actors continue to invest in custom malware development rather than relying entirely on publicly known tools.
PLENET Expands Operational Capabilities
A second newly identified malware family, PLENET, was also observed during the campaign. While technical details remain limited, researchers noted that PLENET contributed to maintaining persistence and supporting attacker operations across compromised infrastructure.
The deployment of multiple malware families simultaneously suggests a layered strategy. If one component is detected and removed, alternative mechanisms remain available to preserve access.
This redundancy significantly increases the resilience of the attack operation and complicates incident response efforts.
Microsoft 365 Becomes a Strategic Objective
Beyond local systems, attackers successfully pivoted into Microsoft 365 environments. This move provided access to cloud-hosted resources, communications, authentication systems, and potentially sensitive corporate data.
Cloud environments have become increasingly attractive targets because they often serve as central hubs connecting users, devices, applications, and business processes. Once attackers establish access, they can gather intelligence without generating the same level of suspicion associated with traditional endpoint activity.
The campaign demonstrates how modern cyber operations increasingly blur the boundaries between on-premises systems and cloud infrastructure.
Linux and BSD Systems Under Growing Threat
Perhaps one of the most significant findings is the attackers’ emphasis on Linux and BSD appliances. Historically, many organizations concentrated security monitoring efforts on Windows systems, assuming Unix-like platforms presented lower risk.
That assumption is becoming increasingly dangerous.
Network appliances, storage systems, virtualization platforms, and cloud infrastructure frequently rely on Linux and BSD operating systems. Attackers recognize that these devices often receive less security scrutiny while possessing privileged access to critical resources.
VerdantBamboo’s operation highlights a broader shift in the threat landscape where Linux-based infrastructure is no longer a secondary target but a primary operational objective.
Persistence Remains the Core Mission
The
Every malware family identified during the investigation appears engineered to maintain long-term access while avoiding detection. Rather than conducting destructive actions, attackers prioritized survival inside compromised environments.
This strategy enables continuous intelligence gathering, future operational flexibility, and potential access to sensitive information over extended periods.
Organizations facing such threats often struggle because traditional security programs are optimized for detecting immediate attacks rather than identifying subtle, long-duration compromises.
What Undercode Say:
The VerdantBamboo operation represents a textbook example of how advanced cyber espionage has evolved beyond endpoint compromise.
The most important takeaway is not the malware itself.
The real story is the
Targeting MSPs creates a multiplier effect.
Compromising service providers allows indirect access to numerous organizations.
This dramatically improves attacker efficiency.
The focus on Egnyte indicates growing interest in cloud-centric workflows.
Modern businesses centralize valuable information inside collaborative platforms.
Attackers follow the data.
BRICKSTORM remains noteworthy because it reflects mature malware engineering.
Persistence is prioritized over destruction.
Stealth is prioritized over speed.
Intelligence collection is prioritized over publicity.
The introduction of AGENTPSD and PLENET suggests active malware development.
Threat actors are not standing still.
Defenders cannot rely exclusively on signatures.
Custom malware development increasingly bypasses traditional detection methods.
Microsoft 365 remains a recurring attack target across multiple threat campaigns.
Identity has become the new security perimeter.
Credential theft and cloud persistence often generate greater value than endpoint compromise.
Linux and BSD targeting deserves special attention.
Many enterprises still dedicate disproportionate resources toward Windows monitoring.
Infrastructure appliances frequently operate with limited visibility.
Attackers understand these blind spots.
The campaign also demonstrates strong operational discipline.
Multiple malware families create redundancy.
Redundancy increases resilience.
Resilience extends intrusion lifespan.
Long-lived intrusions generate greater intelligence value.
The attack highlights weaknesses in trust relationships.
Organizations trust MSPs.
Organizations trust cloud platforms.
Organizations trust infrastructure appliances.
Threat actors increasingly exploit those trust assumptions.
Defensive strategies must evolve.
Threat hunting should include Linux assets.
Cloud telemetry requires continuous monitoring.
Identity systems must receive equal protection.
Behavior-based analytics become essential.
Traditional antivirus alone is insufficient.
Organizations should audit service-provider relationships regularly.
Zero-trust architectures become increasingly relevant.
Credential hygiene remains critical.
Multi-factor authentication is necessary but not sufficient.
Continuous verification provides stronger protection.
VerdantBamboo’s campaign serves as a warning that sophisticated adversaries are targeting the connective tissue of modern enterprises rather than individual endpoints.
The future battlefield is cloud-connected infrastructure.
The organizations that recognize this shift early will be better positioned to resist similar operations.
Deep Analysis
Technical Indicators and Defensive Commands
Security teams investigating similar threats should increase visibility across Linux and BSD infrastructure.
Monitor suspicious processes:
ps auxf
Review active network connections:
ss -tulpn
Inspect listening services:
netstat -plant
Search for recently modified files:
find / -type f -mtime -7 2>/dev/null
Review scheduled tasks:
crontab -l
Check systemd persistence:
systemctl list-unit-files --state=enabled
Review authentication activity:
journalctl -u ssh
Analyze login history:
last -a
Inspect suspicious user accounts:
cat /etc/passwd
Verify active Microsoft 365 sign-ins through cloud security logs and correlate them with endpoint telemetry.
Implement centralized logging.
Deploy endpoint detection solutions on Linux systems.
Harden service accounts.
Limit privileged access.
Audit MSP trust relationships.
Rotate credentials regularly.
Enforce phishing-resistant MFA where possible.
Review API permissions within cloud environments.
Monitor unusual cloud authentication events.
Correlate cloud and endpoint alerts to identify attacker pivot activity.
Organizations capable of combining endpoint telemetry, identity monitoring, and cloud visibility will have the highest probability of detecting campaigns similar to VerdantBamboo.
✅ Volexity reportedly linked the activity to VerdantBamboo and associated the operation with BRICKSTORM malware.
✅ Researchers identified new malware families named AGENTPSD and PLENET as part of the intrusion toolkit used during the campaign.
✅ The operation reportedly involved persistence mechanisms, Microsoft 365 access, and targeting of Linux and BSD-based systems, aligning with broader trends seen in advanced cyber espionage operations.
Prediction
(+1) Security vendors will introduce additional detection signatures and behavioral analytics specifically targeting AGENTPSD and PLENET activity.
(+1) Organizations will increase monitoring of Linux appliances and cloud identity infrastructure following the publication of technical findings.
(+1) MSP-focused threat hunting programs will expand as enterprises recognize supply-chain style exposure risks.
(-1) Additional victims connected through trusted service-provider relationships may be identified as investigations continue.
(-1) Threat actors will likely modify malware components rapidly to evade newly published detection rules.
(-1) Cloud identity systems will remain a primary target as attackers increasingly prioritize persistence over immediate disruption.
▶️ Related Video (66% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
