Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: unc5221 (1 article)Clear

Chinese APT UNC5221 keeps 18-month Microsoft 365 access with Brickstorm backdoor

Volexity has detailed Chinese espionage group UNC5221 (also VerdantBamboo) maintaining access to a victim's Microsoft 365 environment using the Brickstorm backdoor plus previously undocumented malware named Plenet and AgentPSD. The actor sat on the network at least 18 months before detection and had also compromised the victim's MSP. UNC5221 has exploited edge-device zero-days since at least 2023; Brickstorm began as Golang, later Rust. In this case the group pivoted from a compromised Egnyte Storage Sync system through the victim's SSL VPN, then used Brickstorm proxying and stolen credentials to reach Microsoft 365 - deliberately blending with legitimate traffic to evade Conditional Access. It re-breached the org after remediation.

Check
Hunt for Brickstorm, Plenet, and AgentPSD indicators across edge devices and M365. Review Conditional Access logs for VPN-proxied logins blending with legitimate traffic. Audit MSP access paths into your environment.
Affected
Organizations (and their MSPs) running internet-facing edge devices and Egnyte/SSL-VPN infrastructure. UNC5221 maintains multi-year persistence via Brickstorm proxying and stolen credentials to reach Microsoft 365 undetected.
Fix
Apply Volexity IoCs. Harden Conditional Access against proxied logins, rotate credentials, and scrutinize MSP connections. Assume long dwell time - hunt historically and re-verify after remediation, since the group re-breached.