VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances

China-based threat actor VerdantBamboo has deployed a BSD variant of the BRICKSTORM backdoor against Linux appliances, expanding its toolkit beyond traditional Windows targets. Volexity identified the campaign, which also leverages two additional malware families: PLENET (tracked as GRIMBOLT by other researchers) and AGENTPSD.

VerdantBamboo overlaps with Clay Typhoon, a group Microsoft tracks separately. The use of BSD-compiled malware indicates the group targets Unix-like systems, including network appliances and Linux servers that organizations often treat as lower-priority security targets compared to Windows infrastructure.

BRICKSTORM functions as a backdoor, enabling remote code execution and persistent access once installed. The deployment of multiple malware families alongside it suggests a sophisticated staging operation. PLENET and AGENTPSD likely serve distinct roles, such as credential theft, lateral movement, or maintaining redundant access channels if one infection vector is discovered.

Linux appliances remain attractive targets because many organizations assume these systems face lower risk than Windows endpoints. Network appliances, routers, and edge devices running Linux often receive infrequent security updates and less aggressive monitoring than traditional endpoints. A compromised appliance provides attackers a foothold deep within infrastructure, ideal for espionage operations.

The attribution to a China-nexus group signals state-sponsored or state-adjacent activity focused on long-term intelligence gathering rather than financial theft. Espionage groups prioritize persistence and stealth over rapid exploitation, making them willing to invest in multi-stage malware deployments targeting diverse platforms.

Organizations should immediately audit Linux systems and appliances for unauthorized access, particularly those exposed to untrusted networks. Patch management for Linux infrastructure requires the same rigor applied to Windows systems. Network segmentation and monitoring for anomalous outbound connections from appliances provide additional detection layers