The activity came to light after suspicious traffic was detected from a Linux-based virtual machine appliance during an incident response investigation. The inquiry found that attackers had used stolen administrative credentials to access a firewall, enabled web SSL VPN access and then moved further into the victim network. The case adds VerdantBamboo to a widening set of China-nexus clusters associated with BRICKSTORM, a stealthy remote access tool built for persistence, internal reconnaissance and covert command-and-control.
BRICKSTORM has emerged as one of the more consequential espionage implants aimed at network appliances and virtualisation environments. The malware was first documented as a Go-based backdoor and later appeared in Rust-based variants. Its modular design gives operators a remote shell, a SOCKS5 proxy for tunnelling traffic through compromised networks and a lightweight web server capable of listing and transferring files. Security researchers have also identified a custom library known as wssoft, which appears to handle task processing and communications.
The latest case shows how attackers are exploiting the weak visibility around appliances that are rarely covered by conventional endpoint detection and response tools. Firewalls, storage synchronisation servers, VMware vCenter hosts, ESXi environments and network-attached storage devices can become high-value staging points because they control access, identity flows and internal routing. Once compromised, they allow attackers to blend into administrative traffic, capture credentials and pivot into more sensitive systems.
The VerdantBamboo intrusion also highlights the continuing use of legitimate access rather than noisy exploit chains once an initial foothold is obtained. Investigators found that the firewall’s administrative interface was exposed to the internet and that stolen administrator credentials were not protected by multi-factor authentication. The attackers then configured VPN access through the device and used it to reach internal systems, a pattern that fits a broader shift in state-linked intrusions toward “living off the land” techniques and trusted remote services.
BRICKSTORM’s technical evolution has made detection more difficult. Samples have used WebSockets for command-and-control, nested TLS, DNS-over-HTTPS and infrastructure hosted through cloud platforms or dynamic naming services. Some versions have been obfuscated, while others appear designed to mimic normal appliance behaviour. Earlier analyses found no consistent reuse of command-and-control domains across victims, suggesting careful operational discipline intended to frustrate broad indicator-based blocking.
The malware’s persistence features are equally significant. BRICKSTORM can monitor itself and restart or reinstall if interrupted. Some samples have been configured with delayed execution, allowing the implant to remain dormant until a specified date before contacting its command server. That capability can let operators survive initial remediation efforts and re-establish access after defenders believe a breach has been contained.
Government cyber authorities have already warned that BRICKSTORM has been used by China state-sponsored actors for long-term persistence against government services, facilities and information technology entities. Publicly analysed incidents include compromises of VMware vCenter servers, domain controllers and Active Directory Federation Services systems. One breach involved access from April 2024 until at least September 2025, underlining the long dwell times associated with this toolset.
China has consistently denied allegations that it sponsors cyberattacks, while arguing that it is itself a major victim of cyber operations. Western governments and private threat intelligence teams, however, continue to link several long-running campaigns to China-nexus actors, particularly those targeting telecommunications, legal services, software providers, government bodies and managed service providers.
The focus on managed service providers is especially sensitive. Compromising an MSP can give attackers a trusted route into multiple downstream customers, including organisations with limited in-house security capacity. The VerdantBamboo case points to this risk by showing how stolen credentials and remote access pathways can turn one compromised support environment into a broader intrusion channel.
For enterprises, the main lesson is that appliances can no longer be treated as passive infrastructure. Security teams are being urged to inventory all edge devices, virtual appliances and management servers; enforce multi-factor authentication on administrative interfaces; restrict internet exposure; centralise appliance logs; monitor outbound traffic from systems that normally generate little communication; and hunt for unexplained WebSocket, DNS-over-HTTPS or TLS activity from management hosts.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
