Executive Summary
In June 2026, the Chinese state-sponsored group UNC5221, also known as VerdantBamboo, was found to have infiltrated U.S. organizations using the Brickstorm backdoor and newly identified malware variants, Plenet and AgentPSD. The attackers maintained undetected access for over 18 months, compromising Microsoft 365 environments and managed service providers. Their tactics included exploiting zero-day vulnerabilities in edge devices and deploying advanced malware implants written in Golang and Rust. (bleepingcomputer.com) This incident underscores the evolving sophistication of state-sponsored cyber-espionage campaigns, highlighting the need for organizations to enhance their detection capabilities, particularly in monitoring network appliances and implementing robust access controls to prevent prolonged unauthorized access.
Why This Matters Now
The UNC5221 campaign demonstrates the increasing complexity and persistence of state-sponsored cyber threats, emphasizing the urgency for organizations to strengthen their cybersecurity measures against advanced persistent threats that exploit zero-day vulnerabilities and maintain long-term access.
Attack Path Analysis
UNC5221 exploited vulnerabilities in edge devices to gain initial access, escalated privileges using stolen credentials, moved laterally through the network, established command and control via custom malware, exfiltrated data from Microsoft 365 environments, and maintained persistent access for over 18 months.
Kill Chain Progression
Initial Compromise
Description
UNC5221 exploited zero-day vulnerabilities in edge devices to gain initial access to the victim's network.
Related CVEs
CVE-2025-22457
CVSS 9.8A stack-based buffer overflow in Ivanti Connect Secure allows remote, unauthenticated attackers to execute arbitrary code.
Affected Products:
Ivanti Connect Secure – < 9.1R12
Exploit Status:
exploited in the wildCVE-2026-22769
CVSS 10Dell RecoverPoint for Virtual Machines contains a hardcoded credential vulnerability, allowing unauthenticated remote attackers to gain root-level access.
Affected Products:
Dell RecoverPoint for Virtual Machines – < 5.2.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Server Software Component: Web Shell
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Application Layer Protocol: Web Protocols
Valid Accounts
Command and Scripting Interpreter: PowerShell
Create or Modify System Process: Windows Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Incident Handling
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Legal Services
Chinese APT UNC5221 specifically targeted legal services with Brickstorm malware, compromising Microsoft 365 environments through MSP breaches and VPN infiltration.
Computer Software/Engineering
Software-as-a-service providers face extended APT persistence risks through VMware vSphere compromises, requiring enhanced east-west traffic security and zero trust segmentation.
Information Technology/IT
Managed service providers enable lateral movement across client environments via firewall compromises, demanding multicloud visibility controls and encrypted traffic monitoring capabilities.
Telecommunications
Network infrastructure vulnerabilities enable 18-month persistent access through edge device exploits, requiring inline IPS protection and egress security policy enforcement.
Sources
- Chinese APT deploys new malware to keep access to hacked networkshttps://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/Verified
- VerdantBamboo: Just Another BRICKSTORM in the Firewallhttps://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/Verified
- Chinese Hackers Lurked Nearly 400 Days in Networks With Stealthy BrickStorm Malwarehttps://www.securityweek.com/chinese-spies-lurked-in-networks-for-393-days-hunted-for-zero-day-intel/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF could have significantly constrained UNC5221's activities by limiting lateral movement and controlling data exfiltration paths.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit edge device vulnerabilities may have been limited by CNSF's embedded security controls.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained by Zero Trust Segmentation enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could have been restricted by East-West Traffic Security monitoring and controlling internal communications.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may have been detected and constrained by Multicloud Visibility & Control.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been limited by Egress Security & Policy Enforcement controlling outbound traffic.
The prolonged unauthorized access and data compromise could have been reduced by limiting the attacker's reach and persistence.
Impact at a Glance
Affected Business Functions
- Data Storage and Management
- Email Services
- Network Security
Estimated downtime: 30 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data, including emails and stored files.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy zero trust segmentation to limit lateral movement within the network, restricting attackers' ability to access critical systems.
- • Enhance multicloud visibility and control to detect and respond to anomalous activities across cloud environments.
- • Utilize threat detection and anomaly response mechanisms to identify and mitigate malicious behaviors promptly.
- • Regularly update and patch edge devices to protect against exploitation of known vulnerabilities.
