A China-nexus espionage group has compiled a variant of its known BRICKSTORM backdoor specifically for BSD, using it to compromise Linux-based network appliances — infrastructure that rarely runs the endpoint protections now standard on conventional servers and workstations.
The operation, disclosed by threat intelligence firm Volexity in June 2026, was attributed to a cluster the company tracks as VerdantBamboo — a group that overlaps with what Microsoft calls Clay Typhoon. Alongside the BSD-ported BRICKSTORM, the attackers deployed two additional malware families codenamed PLENET (also known as GRIMBOLT) and AGENTPSD as part of a broader campaign against Linux infrastructure.
Why a BSD Variant Matters
The decision to port BRICKSTORM to BSD is a calculated move. Many enterprise edge devices — firewalls, VPN gateways, load balancers, and other network appliances — run Linux or BSD-based operating systems. These systems are attractive targets for state-sponsored groups because they sit at the network perimeter, often handle encrypted traffic, and frequently run without traditional antivirus or endpoint detection and response (EDR) agents.
By compiling BRICKSTORM for BSD, the threat actors can operate on a wider range of appliance firmware and embedded systems. A backdoor running on a perimeter firewall, for example, can intercept credentials, pivot into internal networks, and persist across reboots with minimal chance of detection by conventional security tooling.
Three Malware Families, One Campaign
The full toolset deployed in this campaign comprises three distinct malware families. BRICKSTORM serves as the primary backdoor, providing remote access and command execution. PLENET — tracked elsewhere as GRIMBOLT — and AGENTPSD supplement the operation, though Volexity's disclosure indicates these components handle different stages of the intrusion chain. The combination suggests a mature operational playbook rather than opportunistic exploitation.
For organisations operating across Asia-Pacific, where Linux-based edge appliances are widely deployed in both cloud and on-premises environments, the campaign underscores a persistent blind spot. Network infrastructure is often treated as "set and forget" after initial deployment, receiving firmware updates infrequently and logging insufficient telemetry for forensic investigation.
Defensive Recommendations
Security teams should take several concrete steps in response to this disclosure:
- Audit edge devices for unexpected binaries. A BSD-compiled binary executing on a Linux appliance is inherently anomalous. File integrity monitoring and periodic inspection of running processes on perimeter devices can surface this type of implant.
- Ensure network appliance telemetry reaches your SIEM. Firewalls, VPN concentrators, and load balancers should forward logs and connection data to centralised monitoring. Without this visibility, persistence on edge devices goes unnoticed.
- Inventory and patch appliance firmware. Organisations that lack a complete inventory of their perimeter devices cannot defend them. Establish a regular patching cadence for appliance firmware that accounts for vendor-specific security advisories.
- Monitor for known indicators of compromise. Volexity is expected to release indicators of compromise associated with the VerdantBamboo campaign. Security operations teams should integrate these into detection rules as soon as they become available.
The Bigger Picture
The network perimeter remains a priority target for well-resourced espionage actors. As endpoint defences on Windows and standard Linux servers have improved, sophisticated groups are shifting focus to the appliances that sit between the internet and the enterprise — devices that organisations have historically under-monitored. Defenders who extend visibility to the edge will be better positioned to detect campaigns like this one before the attackers reach their objectives.
一個與中國相關的間諜團體,已將其已知的 BRICKSTORM 後門程式專為 BSD 系統編譯出變種,用以入侵基於 Linux 的網絡裝置——這些基礎設施通常不會運行現已成為常規伺服器及工作站標準配置的端點防護軟件。
此行動於 2026 年 6 月由威脅情報公司 Volexity 揭露,並被歸因於該公司追蹤為「翠竹」的攻擊團體——該團體與微軟所稱的「黏土颱風」有所重疊。除了移植至 BSD 的 BRICKSTORM 外,攻擊者還部署了另外兩個代號分別為 PLENET(亦稱 GRIMBOLT)及 AGENTPSD 的惡意軟件家族,作為針對 Linux 基礎設施的更廣泛攻擊行動的一部分。
為何 BSD 變種至關重要
將 BRICKSTORM 移植至 BSD 是經過深思熟慮的舉動。許多企業邊緣裝置——如防火牆、VPN 閘道器、負載平衡器及其他網絡裝置——運行的是基於 Linux 或 BSD 的作業系統。這些系統對國家支持的攻擊團體而言極具吸引力,因為它們位於網絡邊界,經常處理加密流量,且往往在沒有傳統防病毒軟件或端點偵測與回應(EDR)代理程式的情況下運行。
透過為 BSD 編譯 BRICKSTORM,威脅行為者能在更廣泛的裝置韌體及嵌入式系統上運作。例如,一個運行在邊界防火牆上的後門程式,可以攔截憑證、滲透內部網絡,並在系統重啟後持續存在,而被傳統安全工具偵測到的機率極低。
三大家族惡意軟件,一次攻擊行動
此次攻擊行動所部署的完整工具集包含三個不同的惡意軟件家族。BRICKSTORM 作為主要後門,提供遠端存取及命令執行功能。PLENET——在其他地方被追蹤為 GRIMBOLT——以及 AGENTPSD 則補充了該行動,儘管 Volexity 的披露表明這些組件處理的是入侵鏈的不同階段。這種組合表明這是一套成熟的操作手冊,而非機會主義式的利用。
對於橫跨亞太地區運營的組織而言,Linux 基礎的邊緣裝置在雲端及本地環境中均被廣泛部署,此次行動凸顯了一個持續存在的盲點。網絡基礎設施在初始部署後常被視為「設定後即遺忘」,韌體更新不頻繁,且記錄的遙測數據不足以供取證調查之用。
防禦建議
安全團隊應針對此次披露採取數項具體步驟:
- 審計邊緣裝置是否存在異常的二進位檔案。 在 Linux 裝置上執行的 BSD 編譯二進位檔案本身就屬於異常。檔案完整性監控及定期檢查邊界裝置上運行的進程,可發現此類植入物。
- 確保網絡裝置的遙測數據送達您的 SIEM 系統。 防火牆、VPN 集中器及負載平衡器應將日誌及連接數據轉發至集中監控平台。缺乏這種可見性,邊緣裝置上的持續性存在將無人察覺。
- 盤點並修補裝置韌體。 未能完整盤點其邊界裝置的組織無法有效防禦它們。應建立一個考慮到供應商特定安全公告的裝置韌體定期修補計劃。
- 監測已知入侵指標。 Volexity 預計將發布與「翠竹」攻擊行動相關的入侵指標。安全運營團隊應在這些指標可用時,盡快將其整合到偵測規則中。
更宏觀的視角
網絡邊界仍然是資源充足的間諜行為者的首要目標。隨著 Windows 及標準 Linux 伺服器上的端點防禦能力提升,複雜的攻擊團體正將焦點轉移到那些位於互聯網與企業之間的裝置——這些正是組織歷史上監控不足的裝置。將可見性擴展至邊緣的防禦者,將能更好地在攻擊者達成目標之前,偵測到此類攻擊行動。