Volexity has detailed Chinese espionage group UNC5221 (also VerdantBamboo) maintaining access to a victim's Microsoft 365 environment using the Brickstorm backdoor plus previously undocumented malware named Plenet and AgentPSD. The actor sat on the network at least 18 months before detection and had also compromised the victim's MSP. UNC5221 has exploited edge-device zero-days since at least 2023; Brickstorm began as Golang, later Rust. In this case the group pivoted from a compromised Egnyte Storage Sync system through the victim's SSL VPN, then used Brickstorm proxying and stolen credentials to reach Microsoft 365 - deliberately blending with legitimate traffic to evade Conditional Access. It re-breached the org after remediation.
CISA and the UK's National Cyber Security Centre jointly published a malware analysis report for FIRESTARTER, a persistent backdoor that China-linked group UAT-4356 (the same crew behind 2024's ArcaneDoor campaign) planted on Cisco ASA and Firepower firewall devices by chaining CVE-2025-20333 (VPN web server RCE) and CVE-2025-20362 (unauthorized access). The implant hooks into Cisco's Service Platform mount list, a boot-time configuration that controls which programs run when the device starts, so it survives reboots, firmware upgrades, and the September 2025 patches for those two CVEs. CISA found FIRESTARTER on an already-patched US federal civilian agency's Cisco Firepower device through continuous network monitoring - attackers silently returned in March 2026 to deploy a second-stage implant called Line Viper without needing to re-exploit the original vulnerabilities. Updated Emergency Directive ED 25-03 now orders federal agencies to audit every Cisco ASA and Firepower device they run and submit device memory snapshots for CISA analysis. The stark guidance for everyone else: if you confirm a compromise, replace the hardware. Reimaging is not enough because the bootloader itself may be implanted.