Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: persistence (2 articles)Clear

Chinese APT UNC5221 keeps 18-month Microsoft 365 access with Brickstorm backdoor

Volexity has detailed Chinese espionage group UNC5221 (also VerdantBamboo) maintaining access to a victim's Microsoft 365 environment using the Brickstorm backdoor plus previously undocumented malware named Plenet and AgentPSD. The actor sat on the network at least 18 months before detection and had also compromised the victim's MSP. UNC5221 has exploited edge-device zero-days since at least 2023; Brickstorm began as Golang, later Rust. In this case the group pivoted from a compromised Egnyte Storage Sync system through the victim's SSL VPN, then used Brickstorm proxying and stolen credentials to reach Microsoft 365 - deliberately blending with legitimate traffic to evade Conditional Access. It re-breached the org after remediation.

Check
Hunt for Brickstorm, Plenet, and AgentPSD indicators across edge devices and M365. Review Conditional Access logs for VPN-proxied logins blending with legitimate traffic. Audit MSP access paths into your environment.
Affected
Organizations (and their MSPs) running internet-facing edge devices and Egnyte/SSL-VPN infrastructure. UNC5221 maintains multi-year persistence via Brickstorm proxying and stolen credentials to reach Microsoft 365 undetected.
Fix
Apply Volexity IoCs. Harden Conditional Access against proxied logins, rotate credentials, and scrutinize MSP connections. Assume long dwell time - hunt historically and re-verify after remediation, since the group re-breached.

CISA and UK NCSC warn 'FIRESTARTER' backdoor survives Cisco ASA/Firepower patches - US agency compromised, hardware replacement recommended

CISA and the UK's National Cyber Security Centre jointly published a malware analysis report for FIRESTARTER, a persistent backdoor that China-linked group UAT-4356 (the same crew behind 2024's ArcaneDoor campaign) planted on Cisco ASA and Firepower firewall devices by chaining CVE-2025-20333 (VPN web server RCE) and CVE-2025-20362 (unauthorized access). The implant hooks into Cisco's Service Platform mount list, a boot-time configuration that controls which programs run when the device starts, so it survives reboots, firmware upgrades, and the September 2025 patches for those two CVEs. CISA found FIRESTARTER on an already-patched US federal civilian agency's Cisco Firepower device through continuous network monitoring - attackers silently returned in March 2026 to deploy a second-stage implant called Line Viper without needing to re-exploit the original vulnerabilities. Updated Emergency Directive ED 25-03 now orders federal agencies to audit every Cisco ASA and Firepower device they run and submit device memory snapshots for CISA analysis. The stark guidance for everyone else: if you confirm a compromise, replace the hardware. Reimaging is not enough because the bootloader itself may be implanted.

Check
Inventory every Cisco ASA and Firepower Threat Defense device in your environment - including branch offices, remote sites, and lab gear - and check patch status against CVE-2025-20333 and CVE-2025-20362 as the absolute minimum baseline.
Affected
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices running ASA/FTD software, particularly any units that were internet-exposed and unpatched between the September 2025 patch release and the date you actually applied it. Devices patched in that window may still carry the FIRESTARTER implant because the backdoor survives patching.
Fix
Patch any ASA/FTD device still vulnerable to CVE-2025-20333 or CVE-2025-20362 immediately. Then perform a core dump on every device following CISA's supplemental direction and look for FIRESTARTER indicators described in MAR AR26-113A and the joint advisory AA26-113A. Any device showing indicators of compromise must be replaced with new hardware - do not trust reimaging or factory reset, because the persistence mechanism modifies the Cisco Service Platform mount list and the bootloader may be affected. Rotate all VPN credentials and admin passwords on affected devices. Hunt for Line Viper and review firewall logs for unexpected outbound connections from management interfaces for the period after initial patching.