UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The Brickstorm malware set enabled UNC5221 / VerdantBamboo to keep long-term access inside victim infrastructure, including Microsoft 365, raising the risk of stealthy follow-on intrusion. The operation blended stolen credentials with SSL VPN access and proxying to avoid controls that would normally block entry. The malware also extended into internal appliances and supporting infrastructure, including a Synology NAS device and an affected managed services provider (MSP). Persistent access lasting at least 18 months made the compromise harder to detect and easier to re-use.
Related Happenings
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Dragon Boss Solutions LLC adware malicious update
Malware Activity
First: 16.04.2026 22:07
Last: 16.04.2026 22:07
Sources 1
About this happening:
A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions LLC adware malicious update
Malware ActivityAbout this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Fake IT support Havoc campaign
Campaign
First: 03.03.2026 19:15
Last: 03.03.2026 19:15
Sources 1
About this happening:
A **fake IT support** campaign is using **email spam**, phone-based social engineering, and **Havoc C2** to gain initial access, putting targeted organizations at risk of **data e...
Fake IT support Havoc campaign
CampaignAbout this happening: A **fake IT support** campaign is using **email spam**, phone-based social engineering, and **Havoc C2** to gain initial access, putting targeted organizations at risk of **data e...
Timeline
-
05.06.2026 03:00 2 articles · 22h ago
Volexity uncovers UNC5221 access to Microsoft 365 and internal systems
Initial DisclosureVolexity investigators uncover UNC5221, also tracked as VerdantBamboo, maintaining access to Microsoft 365 and other victim systems with Brickstorm, Plenet, and AgentPSD. The investigation finds the actor had been inside the victim network for at least 18 months before detection and had also compromised the victim organization's managed services provider (MSP), with access paths including an Egnyte Storage Sync system and the victim's web SSL VPN.
Show sources
- Chinese APT deploys new malware to keep access to hacked networks — www.bleepingcomputer.com — 05.06.2026 21:09
- Chinese APT deploys new malware to keep access to hacked networks — www.bleepingcomputer.com — 05.06.2026 21:09