Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment

Malware Activity
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The deployment of BRICKSTORM, PLENET (aka GRIMBOLT), and AGENTPSD on Linux appliances expanded operator access with backdoor, proxying, remote command execution, and fallback reverse-shell capabilities. The malware set was observed during September 2025 after compromise of an Egnyte Storage Sync system and later use of a Synology NAS appliance. The activity is attributed to VerdantBamboo and matters because it combines stealthy appliance abuse with multiple implants and persistence options.

Related Happenings

UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity

Malware Activity
First: 05.06.2026 21:09 Last: 05.06.2026 21:09 Sources 1

About this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...

Open Happening

EtherRAT Node.js backdoor with Ethereum smart-contract C2

Malware Activity
First: 26.03.2026 17:00 Last: 26.03.2026 17:00 Sources 1

About this happening: The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...

Open Happening

UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign

Campaign
First: 17.02.2026 22:15 Last: 17.02.2026 22:15 Sources 1

About this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...

Latest development: 19.02.2026 17:30

CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.

Open Happening

Pwn2Own Ireland 2025 zero-day demonstrations security flaw

Vulnerability
First: 21.10.2025 20:06 Last: 21.10.2025 20:06 Sources 1

About this happening: **QNAP** patched **seven zero-day vulnerabilities** after researchers exploited them at **Pwn2Own Ireland 2025** against **QNAP NAS devices**. The flaws affect **QTS**, **QuTS her...

Latest development: 07.11.2025 20:24

QNAP fixed seven zero-day vulnerabilities in QTS and QuTS hero (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849), Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) after researchers from Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern exploited them during Pwn2Own Ireland 2025 against QNAP NAS devices; QNAP recommends updating to the latest versions and changing all passwords.

Open Happening

PolarEdge botnet activity targeting Cisco, ASUS, QNAP, and Synology routers

Malware Activity
First: 21.10.2025 16:47 Last: 21.10.2025 16:47 Sources 1

About this happening: **PolarEdge** is a **botnet malware** operation whose updated analysis shows how infected **Cisco, ASUS, QNAP, and Synology routers** can be turned into remote-control footholds....

Open Happening

Timeline

  1. 08.06.2026 13:27 2 articles · 7h ago

    Initial report: BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment

    Initial Disclosure

    An initial compromise of an **Egnyte Storage Sync** system enabled **BRICKSTORM** deployment after exploitation of a local privilege escalation flaw. That foothold later let the operators move through the victim's **web SSL VPN** and into **Microsoft 365**.

    Show sources
    Open in new tab