🛡️ SecOps

VerdantBamboo Deploys BSD Variant of BRICKSTORM Backdoor Against Linux and BSD Network Appliances

China-nexus threat cluster VerdantBamboo has deployed a BSD-compatible variant of the BRICKSTORM backdoor, extending its implant capability beyond Linux ESXi hosts to commercial network appliances running FreeBSD-derived operating systems. The implant uses HTTPS command and control via legitimate TLS certificates, survives reboots, and operates below enterprise EDR visibility.

4 min read
#verdantbamboo#brickstorm#china-nexus#apt#bsd#linux#network-appliances#backdoor#threat-intelligence

Threat intelligence researchers have documented VerdantBamboo — a China-nexus threat cluster with infrastructure and tooling overlaps with previously tracked UNC3886 activity — deploying a BSD-compatible variant of the BRICKSTORM backdoor against enterprise network appliances. The development represents a significant capability extension: BRICKSTORM was previously documented exclusively on Linux targets running in VMware ESXi environments; the BSD variant indicates active investment in targeting commercial network security appliances, routers, and switches running FreeBSD-derived operating systems.

BRICKSTORM Technical Profile

BRICKSTORM is a Go-language backdoor first documented by NVISO and Mandiant in 2024 as part of the UNC3886 campaign against VMware ESXi environments. Key characteristics:

Command and control: HTTPS over port 443 using certificates from legitimate commercial certificate authorities. The C2 traffic is indistinguishable from legitimate HTTPS traffic in network inspection that does not perform certificate pinning or JA3 fingerprinting.

Persistence: Modified startup scripts and cron entries. The BSD variant adapts these persistence mechanisms to FreeBSD’s rc.d startup framework and, depending on the target appliance, to proprietary startup mechanisms used by specific network operating systems.

Capabilities: File system read/write, arbitrary command execution, network pivoting via SOCKS5 proxy. The BSD variant includes an updated network pivoting module that leverages BSD socket interfaces.

Anti-analysis: Obfuscated Go binary, no shared libraries, no distinctive file names. The compiled Go binary contains everything needed for operation without external dependencies.

Target Appliance Classes

Based on the tooling analysis, VerdantBamboo’s BSD variant is believed to target appliances running:

  • FreeBSD or derivatives (including pfSense, OPNsense, and custom BSD variants used in commercial appliances)
  • F5 BIG-IP (which runs a BSD-derived OS)
  • Some Check Point appliance configurations
  • High-end enterprise switches from vendors that license BSD networking stacks

The targeting is consistent with the group’s documented interest in network-edge devices — appliances that provide persistent, high-privilege, monitoring-blind access to enterprise networks.

Detection Indicators

Network-level indicators:

  • Outbound HTTPS connections from network appliance management IPs to uncommon commercial hosting providers (AWS, Azure, GCP, Cloudflare CDN) at unusual hours
  • Persistent low-volume HTTPS beaconing with consistent intervals from management interface IPs
  • DNS queries from network appliance management IPs for domains registered within the past 90 days

Host-level indicators (where appliance OS access permits):

  • Unexpected Go binaries in /tmp/, /var/tmp/, or appliance-specific temporary directories
  • Modified rc.d scripts or cron entries in non-default locations
  • Listening processes on loopback interfaces that are not associated with documented appliance services

YARA signatures: Threat intelligence vendors (Mandiant, CrowdStrike, Recorded Future) have published YARA signatures for BRICKSTORM variants. For organisations with network traffic analysis capability, JA3 fingerprints for BRICKSTORM’s TLS implementation have been documented.

Attribution Context

VerdantBamboo displays consistent operational patterns with China-nexus espionage activity: persistent access over long timeframes, focus on data exfiltration rather than destructive operations, and targeting of organisations in government, defence, and technology sectors. The group’s operational tempo suggests a well-resourced team with a specific intelligence collection mandate.

The BRICKSTORM BSD variant is not an opportunistic adaptation — it requires sustained engineering investment in a new target platform and is consistent with a deliberate strategic decision to extend implant coverage to the network edge.

  • Audit perimeter appliances for BRICKSTORM indicators: Review network appliance management traffic against BRICKSTORM IOCs published by threat intelligence vendors
  • Restrict outbound management interface traffic: Network appliances should only make outbound connections to known management infrastructure (update servers, NTP, authorised SIEM collectors). Block arbitrary outbound connections from management IPs at the network layer.
  • Apply all pending firmware updates: VerdantBamboo and similar groups exploit known vulnerabilities as initial access to appliances. Ensure all perimeter appliances are on current firmware before searching for post-compromise indicators.
  • Submit to vendor analysis if compromise suspected: If a perimeter appliance shows exploitation indicators, contact the appliance vendor’s security response team and relevant national CERT for guidance on forensic image acquisition.

Share this article