VerdantBamboo's BSD BRICKSTORM Signals China-Nexus Pivot to Appliance Supply Chains Beyond Windows Targets

The deployment of a native BSD variant of BRICKSTORM on pfSense firewalls and Synology NAS devices marks a deliberate expansion by VerdantBamboo (overlapping Clay Typhoon/UNC5221) into environments lacking standard EDR coverage. Volexity's September 2025 incident response revealed initial compromise via Egnyte Storage Sync, followed by lateral movement through an MSP's pfSense appliance using stolen admin credentials and web SSL VPN abuse. This mirrors patterns seen in UNC6201's exploitation of Dell RecoverPoint (CVE-2026-22769) since mid-2024, where PLENET/GRIMBOLT served as a cross-platform .NET Core implant. Most reporting overlooks how these actors systematically map proprietary appliance persistence mechanisms—customized per device—to enable long-term C2 via proxying that blends with legitimate traffic. The 18-month dwell time and MSP vector underscore supply-chain exposure in managed services, where firewall and NAS compromises provide durable footholds for M365 access without triggering Conditional Access policies. This evolution from Windows-centric operations to Linux/BSD appliances reflects broader Chinese cyber doctrine prioritizing stealthy infrastructure control over flashy ransomware.